A common approach for planning your employee cybersecurity awareness training is to forge ahead, complete it, and remove it from the checklist of “to do” items. Yet any Information Security Officer (ISO) will tell you that their goal for employee cybersecurity awareness training is to have a well-informed staff that is equipped to mitigate fraud.
Fortunately, having an educated staff is an achievable goal without having to rush through this initiative. Consider a counterintuitive approach and think about what you should not do when it comes to employee education. Here is a list of common pitfalls to avoid when planning your institution’s employee cybersecurity awareness training.
1. Administering cybersecurity awareness training the week before an IT audit or exam.
Not only does this cause undue stress, it also prevents an overall culture of security in your environment. A better approach is to provide training in an ongoing manner and emphasize the importance of this initiative by updating employees throughout the entire year. Consider pairing your cybersecurity awareness education with a security assessment to address its effectiveness by periodically gauging employee preparedness for handling real security scenarios.
2. Consolidating cybersecurity awareness training with other training courses.
Cybersecurity awareness education is unique and needs to have top billing. Providing multiple courses at the same time will confuse employees and take away from the importance of protecting the non-public information of your customers or members. Setting the cybersecurity awareness training apart from other initiatives will also demonstrate to examiners and auditors how your institution values its importance.
3. Creating overly ambitious training goals.
There is a balance to consider when distributing training. Ensure that your cybersecurity awareness strategy is achievable and that you are not creating benchmarks based on a perfect-world scenario. For example, do you have the time to allow your staff to take a test each quarter? Or would it be as effective to test annually and communicate to employees throughout the year on relevant cybersecurity topics?
4. Sparing the board members/senior management from participating in cybersecurity awareness training.
The overall goal is to spare your institution from a cybersecurity incident, so avoid leaving gaps in your cybersecurity awareness. Board members specifically should be familiar with their own responsibilities as well as the responsibilities of the organization. Knowing the risks associated with poor cybersecurity awareness practices will help your board members/senior management realize the value of this effort to your overall fiscal health.
5. Providing educational content that includes the overuse of compliance terminology/direct guidance.
Employees and board members will need to make sense of the guidance. So interpreting the guidance is important. Providing real-world examples of cyber threats and procedures will teach employees how to apply the information to their job roles.
6. Neglecting to train new employees.
It is highly likely that you will hire a new employee at some point who does not have a strong cybersecurity background. Have a way to facilitate training the first day the employee is hired or within the first week.
7. Using one type of educational method.
As with any traditional classroom environment, employees vary in how they learn material. Provide more than one type of training methodology. Use videos, tests, reading material, and emails to create variation and keep the material more engaging.
8. Avoiding the need for assistance and neglecting education.
There is a point when the ISO can only do so much. If your institution has experienced rapid growth or if the ISO has additional job titles and responsibilities, consider the use of a third party that specializes in education and is able to keep training objectives on track.
The good news: Nothing is insurmountable when it comes to creating a solid cybersecurity awareness program. Remember, cybersecurity awareness education is never “finished” and cannot be checked off a list. Create good habits that will help you throughout the year and make an agenda with smaller manageable tasks. Avoid taking a step backward and use these eight items as a guide to propel your education program while benefitting and protecting your institution.
Visit our updated ProfitStars Cybersecurity Awareness Resource Center for free information to support your FIs’ cybersecurity efforts, both at work and at home!
Stay up to date with the latest people-inspired innovation at Jack Henry.
.svg)
