Your Highest Leverage Investment – Your People

Your Highest Leverage Investment – Your People

Does simply buying a Ferrari make you a high-performance driver? The same applies to the security products and services for your business. If your staff is not trained properly, no combination of hardware and software can ultimately protect you from a determined attacker. You still need products and services like firewalls, anti-virus/anti-malware and email filtering. You also need to empower your staff with security awareness training. Three crucial features you’ll want in your security awareness training program are for it to be continuous, randomized and provide instant feedback.

For many regulated industries, like banking and financial services, the minimum standard for compliance is likely annual training. Do you really want to tell your customers, clients and employees that you’re meeting the minimum standard for compliance? How much do you remember from training you took last year? The only thing annual training effectively accomplishes is meeting compliance requirements. To truly make an impact, you need continuous training. Ideally, it will take place monthly, providing both learning modules as well as simulated phishing emails.

Attackers are not going to give you a heads up in advance. Neither should training simulations. Randomized phishing simulations need to be sent at different days and times to all staff. Simulations lose their effectiveness when staff can start comparing notes and figuring out their all receiving the same training emails. And all staff means the boss as well. The higher up the organizational ladder you are the valuable of a target you are.

The greatest teaching moment is at the time a mistake is made. Each training module should end with a quiz of the material covered. Each mistaken interaction with a phishing simulation should immediately result in a forced learning module, highlighting the suspicious aspects of the phishing attempt. There is an inverse relationship between the time of the mistake and the time of the teaching review. More time means less of a lesson. Most importantly, mistakes must be positioned as learning opportunities. If they become punitive, you will have lost the effectiveness of the training program.

The best locks in the world won’t keep people out of your house if you don’t know how to close the doors and windows...and engage the locks. As you would want that to become an unconscious habit for your family, the ultimate goal of security awareness training is to develop an unconscious competence in your staff. The training should get them to the point where they instinctively recognize a malicious email and take the appropriate actions to mitigate the threat. A training program that is continuous, randomized and provides instant feedback will help your staff reach that level of expertise and protect your business.