Skip to main content
September 26, 2019

How to Design Cybersecurity Training for Employees: 4 Best Practices

SHARE
An incredible 35% of data breaches are caused by human error, according to the Office of the Australian Information Commissioner. In some industries, such as health care, over half of breaches are caused by insider error. Non-technical employees are the frontline defense against many categories of security threat, including phishing, social engineering, inadvertent data exposure and physical tampering or theft. Creating an effective cybersecurity training program is required for regulatory compliance. It could also yield a high return by reducing the probability and impact of compromise.

Cybersecurity awareness matters

Humans are less predictable than the technology your organization uses to prevent cybercrime, like firewalls. Exceeding regulatory requirements for annual training could significantly improve employee retention of information and secure behavior. Blended learning strategies, including simulated exercises, can further empower your employees to protect against attack—preventing untold costs in security incidents. The most effective cybersecurity L&D initiatives go beyond annual compliance training requirements. Effective L&D facilitates year-round employee engagement with best practices.

1. Present clear guidelines

Your cybersecurity training will achieve the best results if you communicate "personal handling" to the learner. Researchers at Oxford and the University of London define this as conveying the impact of personal behavior. "We suggest that a campaign should use simple consistent rules of behaviour that people can follow," they wrote. Provide clear documentation of security protocols for users, and ensure these guidelines are customized by staff role.

2. Blend learning techniques

Simulation and engagement can build employee confidence in real-world security encounters. The Oxford study found expert-led training doesn't always result in changed behavior, especially if people walk away feeling scared of hackers. Blend learning techniques in your learning management system to include interactive components, videos and real-life examples.

3. Communicate continuously

Microlearning, paired with reminders, can keep staff engaged with training. A study published in ResearchGate suggests that repetition is more effective than long learning sessions. Chances are, your firm is required to perform annual cybersecurity training, so assign microlessons and short quizzes throughout the year. This way, when it's time to become recertified, it's a breeze.

4. Use nonexperts

According to the Oxford and University of London study, fielding a relatable messenger could be the most important way to change behavior. This approach can help employees build confidence about secure behaviors and avoid errors in real-world situations. Human behavior is more complex than just technical know-how. Including instructors with soft skills is crucial, according to a recent study of over 1,700 security pros from the SANS Institute. Enlist nontechnical staff members to create engaging learning modules, such as real-life examples your workforce can relate to.

Beyond compliance training

While awareness training is required for compliance, annual awareness training may not be enough. Your organization should consider how to use your LMS, blended learning and microlearning to engage your workforce in security awareness year-round. Research shows the key to behavioral change is to empower your employees instead of frightening them. Interactive learning modules, engaging messengers and clear protocol can show your employees how to act in any given situation.