Are Employees Trained Enough To Tackle Cyberattacks?

Are Employees Trained Enough To Tackle Cyberattacks?
everything possible/Shutterstock
Summary: An average of 25,000 cybersecurity attacks occur per day. Surprisingly, 85–90% of cyber breaches have a human factor as the root cause. Considering the increased frequency of cyber threats, companies are rapidly procuring cybersecurity training services across the globe.

A Sudden Surge In Security Training Procurement

The COVID-19 pandemic brought major changes in the business process. The digital transformation during the pandemic was impeccable, but it also made us more vulnerable to cybersecurity threats as we now have remote and hybrid work culture. Almost 90% of companies faced cyberattacks during the pandemic.

The estimated global cybercrime cost for the year 2021 was $7.9 trillion, and it is expected to reach $11.4 trillion by 2026. This includes cybercrime such as data theft or embezzlement, data hacking, and data destruction. After Joe Biden’s cybersecurity summit in the US (July 2021), technology giants Google, IBM, Amazon, Apple, and Microsoft offered up millions in funding on varieties of cybersecurity initiatives in which training (training workforce, dealers, and future talents) is one of the crucial aspects.

Globally, there has been a surge in cybersecurity training procurement in the last two years. More than 80 notable high-value cybersecurity training engagements/partnerships (defense, IT, and BFSI) took place in the year 2021. In the cloud computing and security awareness training space, supply dynamics have changed drastically with continuous mergers, acquisitions, and partnerships with cybersecurity solution providers, localization, and learning technology providers at a global and regional level.

6 Steps For Effective Cybersecurity Awareness Training

1. Assessing The Employee's Online Behavior

It is critical to understand how an employee senses, recognizes, responds to, and reports nefarious activity. Even an errant click can give scope for data theft or any major cybercrime.

2. Adopt The Right Training Approach

Just self-paced video content or live Instructor-Led Training may not be the right choice for training here, considering the employee engagement quotient. Game-based learning and simulation-based learning are effective training modalities for the general workforce. In contrast, nano-learning and microlearning formats play a critical role in periodic knowledge reinforcement.

3. Embrace Hands-On Education

Talent shortage in cybersecurity is a piece of news generating a buzz, and most companies use training to mitigate the cybersecurity skills shortage. A training road map for IT professionals, microcertification with digital badges, encouraging internal workshops, tuition fee coverage for major certification programs, and AI powered serious gamified training formats can help organizations in upskilling and reskilling IT professionals for cybersecurity roles.

4. Strategize Training Budget

Large organizations add training to the cybersecurity budget. An ideal split of the budget is for 35% to be allocated to cybersecurity literacy for the general workforce (which includes fundamentals of cybersecurity) while 65% of the budget must be reserved for upskilling technical professionals with advanced cybersecurity modules and certifications as they are involved in risk identification, risk management, damage control, and digital security incidents during cyberattack incidents.

5. Outsourcing

Unlike other business training, cybersecurity training cannot be handled in-house, as the depth and breadth of cyberattacks are becoming exponential. As the style of cyber threats is changing day by day, with ransomware, cryptojacking, phishing, adware, drive-by downloads, spyware etc., large organizations outsource cybersecurity training services from specialized suppliers with robust courseware. Engaging with global service providers is essential to have a broad view of the nature of cybersecurity threats across different regions/countries.

  • Key points to check:
    • Suppliers’ in-house Subject Matter Expert (SME) expertise
    • Content library (basic, intermediate, and advanced versions of courses)
    • Advanced delivery modalities (edutainment content to ensure high engagement quotient)
    • Robust learning technology platform (to enrich learners’ experience)
    • Capability to create short burst content in multiple languages (microcontent or nano-content)
    • The frequency of course content updates should be taken into consideration to stay abreast of development in the cybersecurity space

6. Practical Evaluation

Checking learners' course completion status may not be the right metric for evaluating learners' understanding of cybersecurity concepts. Rather, floating a fake phishing email stream and checking their response practically is advised. Also, scenario-based simulation assessments are very effective in assessing learners' knowledge.

Quick Case Study

A renowned banking, financial services and insurance (BFSI) company spent five months to develop a cybersecure workplace with a robust training framework:

1. The Learning and Development (L&D) team worked alongside the recruitment team to include cyberawareness training ("data privacy" module) during the onboarding process.

2. The internal L&D team and technical SMEs were involved in developing content for year-round training programs along with a US-based cybersecurity training service provider engaged for the purpose.

3. A simulated phishing exercise was used to evaluate the learners’ understanding.

4. The pre-assessment results of senior employees were surprising: only 38% of executive or director level people have a basic idea of cyber literacy.

5. The L&D team designed specialized training programs and workshops for executives and leaders, with game elements.

6. Senior executives found the customized training programs and workshops insightful and strongly believed that the training programs would help them in confident decision-making about cyber risks.

7. Managers were encouraged to have brown-bag discussions about the importance of cybersecurity and the scope of the damage.

Retrospect The L&D Approach In Cybersecurity Training

The L&D approach toward cybersecurity training must be changed. Cybersecurity training is not meant for IT professionals only; structurally, cybersecurity literacy should be treated as mandatory training for every single employee. Conducting periodic training for employees on the fundamentals of cybersecurity, such as phishing emails, data confidentiality, data breaches, and malware, is highly recommended.