How to Revitalize IT Security Training

Orlando Scott-Cowley


August 3, 2015

IT security training

With the proliferation of hacking attacks and data breaches, the importance of IT security training for all employees is self-evident. Current training and prevention methods are often lacking, however, with many organizations still employing a “set it and forget it” strategy that assumes employees will only need to be trained once. Or worse, IT security training is frequently coupled with other safety training, thereby diminishing its value. In addition, training programs are often designed to work best for IT personnel, rather than tailored to meet all employees’ needs.

Organizations that do this are setting themselves up for failure. The key to getting past common training slumps is to not only find unique ways to train employees to help prevent breaches, but to also help them understand the impact a breach can have on other areas of the business, including their own jobs.

Organizations must think creatively and adopt the mindsets of both employees and hackers to make a behavioral change in their users. This includes tactics such as customizing training for specific job titles and departments, suggesting a job swap for a day so one department can learn another’s issues, or leveraging creative ways, such as cards, texts or private social media groups, to remind employees not to click on suspicious links.

IT security can even be made into an organization-wide campaign. Facebook, for example, decided to put an end to dull employee cybersecurity training with the launch of Hacktober in 2012. October is National Cybersecurity Awareness Month, so throughout the month, Facebook’s cybersecurity team creates a series of simulated security incidents that target specific internal departments based upon the types of threats they are most likely to see. Employees who spot a Hacktober attack win a prize, making training both educational and exciting.

While games and competitions help positively disrupt the security training status quo, there may still be some departments and job titles that these tactics do not reach. For example, a seasoned C-level executive may think he or she has the wherewithal to avoid attacks, but in reality, the C-suite is a common target because of their access to highly-sensitive information. Therefore, these executives need the most thorough training of all. This is another area in which role playing comes in handy. An immersive war game in which an executive is hacked can make clear just how easy it is for an attacker to target the C-suite. Plus, with the company’s own case study as an example, the IT team then has the necessary ammunition to show executives why it is important to dedicate resources to training the entire organization.

Mitigating IT risk company-wide is only possible by approaching it from a human-interest angle. Companies can make a significant impact on prevention, not by spending a large budget on training, but by helping employees understand the ripple effect just one malicious email or link can have on the entire organization.
Orlando Scott-Cowley is a cyber-security specialist at enterprise cloud services company Mimecast.