Cyber-Awareness Education Is a Change-Management Initiative
By Rob Rashotte, Vice President, Global Training & Technical Field Enablement at Fortinet
As cyber adversaries continue advancing their tactics, organisations around the globe are at greater risk than ever of being breached. According to recent Fortinet research, cybercriminals are showing no signs of slowing: Ransomware-as-a-Service (RaaS) operations are driving increasingly sophisticated attacks, and unique exploits, malware variants, and botnet activity are rising. Businesses are undoubtedly feeling the effects of this increase in the volume and variety of cyberattack tactics. The Fortinet 2023 Cybersecurity Skills Gap Global Report found that 84% of organisations experienced at least one breach in the past 12 months.
A comprehensive strategy is required to detect and prevent cyber incidents, and your employees play a crucial role in this effort. While more than 80% of organisations surveyed indicate they have existing security awareness training programs, the majority (56%) still believe that their employees lack critical knowledge about cybersecurity best practices. These concerns are warranted, considering that 74% of last year’s breaches involved the human element.
When equipped with the proper knowledge, employees can effectively serve as your best defence against malicious actors. However, your approach to creating and maintaining an organisation-wide cybersecurity awareness program can make or break your success. Ultimately, security awareness and training initiatives are change-management efforts and should be treated as such, with buy-in at the highest level of the enterprise.
Articulate the Program Vision and Communicate It Often
Successfully defending your enterprise requires more than a team of skilled security practitioners and cutting-edge technologies. Implementing an ongoing security awareness and training program is crucial to managing organisational risk. An effective cyber-education program is not a “set it and forget it” effort. Instead, the program must be an ongoing part of organisational policy.
Many leaders assume introducing a security awareness project will alter user behaviour and enhance the organisation’s overall security posture, but that is rarely the case. This is why designing and articulating a program vision—and documenting meaningful metrics to track outcomes—is a crucial first step. Learners will be more responsive to the program if they thoroughly understand the objectives and importance. Employees should feel like active participants in this change instead of passive recipients of another mandated training program.
Once you’ve created the program vision, share it often. These messages should come from the security team and other leaders around the company. Find opportunities like all-hands meetings when several executives from different departments—security, human resources, legal, and corporate communications, for example—can collectively discuss the program’s value.
Design an Initiative That Meets the Unique Needs of Your Organisatio
There is no “one size fits all” approach to security awareness training. To create a security awareness education program that’s effective for your enterprise, there are several attributes to consider as you’re planning.
First, make sure you’re covering relevant topics. The subjects covered in cyber-awareness training should change as the threat landscape does. While every program must address critical areas of concern—such as phishing attacks, ransomware, social engineering, remote work, passwords and authentication, and more—include unique risks relevant to your enterprise or industry. Reevaluate the content periodically and make adjustments or additions as needed.
Next, consider the context for the training. The audiences participating in your training program should determine the content you provide, and different groups of learners may need customised modules. For example, your software engineers and other technical staff need to understand specific security considerations that don’t apply to your administrative staff. Although the fundamental ideas delivered in the training sessions may be the same for both groups, providing distinct content helps learners better understand their role in protecting the business.
Finally, create a plan for long-term engagement. Cybersecurity awareness education requires ongoing effort. Think of your initiative as a change-management endeavour with a significant training component, not simply a training program. When developing your plan, consider how you’ll encourage staff to interact with the content, how often you might update the organisation on the initiative, and how you want to expand the effort over time.
Cyber-Awareness Education Is More Than “Just” a Training Program
A world-class security team and the best technologies are valuable in mitigating organisational risk, yet many businesses overlook the importance of offering cybersecurity awareness education to all employees. As cybercriminals continue to advance their strategies, there’s no better time to implement an initiative that will give employees the know-how to identify and halt a potential attack.
Rather than viewing these initiatives as just training programs, they should be considered genuine change-management initiatives involving a significant amount of training. As with any change-management initiative, establishing a vision and articulating goals are essential. While these actions may seem rudimentary, they’re vital in helping you gain buy-in from peers and executives and building employee trust (and generating interest) in the program. This simple mindset shift will help you create a successful initiative that strengthens your organisation’s security posture.