Often companies protect their employees from risks by taking out cybersecurity insurances, information security consulting or hiring lawyers to protect the company from information security risks. When a company aims to recognize information security risks, the risk for human error is often overlooked. Based on our experience, the information security training of personnel is often taken care of by the easiest and cheapest way, which fills the requirements of the certificate. However, this isn’t a consistent way to reduce risks and increase personnel’s information security skills. What is needed from a company to organize a successful information security training and why is it worth investing money in?
What is information security training?
Information security training is a training which aims to increase the level of personnel’s information security skills at work and also in their personal lives. Organization’s security strategy only works if the personnel has been trained to recognize information security risks. The importance of information security training shouldn’t be underestimated, and it shouldn’t be seen only as a tool to control information security risks posed by personnel. Organizations should see personnel’s information security skills as a one indicator when evaluating the organization’s information security as a whole. In an ideal situation information security awareness is a part of the organization’s security culture and personnel is capable of acting independently when they notice an information security incident. Due to this, it’s important that the management also takes seriously the need for information security training in companies.
The training can consist of for example surveys, webinars, videos, games or different online training methods. Execution can, for example, start with an introduction to a common incident, where different threats faced by employees will be discussed and from there on the training is carried out according to the organizations needs. It’s also important to remember to keep the personnel’s skills updated, thus, offering trainings to recap the skills is useful. This type of recap-training can be for example a lecture. In order to keep employees engaged and interested in the topic, the training should be fun and show to the employees everybody’s individual importance in preventing information security risks.
Training is required by standards
Information security training can sometimes be designed to meet only minimum requirements of a certain standard or audit criteria. Often this type of training is limited to a yearly or ad hoc type of training. This leads to a situation where employees know the basics of information security but may not necessarily know the organization’s information security policy or understand fully their own role in protecting the organization from security threats. The skills in preventing, noticing or reporting information security incidents may also be left incomplete, thus, the training should be designed based on the company’s needs, not just to meet the standard’s requirements.
Few examples of the international standards which require information security training:
- ISO/IEC 27001
- General Data Protection (GDPR EU)
Along with international standards the Finnish VAHTI -instructions (instructions for information security by the Government Information Security Management Board) offer instructions and guidelines for information security in public administration organizations. Of course, these instructions can also be used in private organizations and companies.
Training as a part of the organization’s information security process
Information security isn’t a product or the result of a certain action. It’s a process which should develop along with changing environment. Thus, the training program should also recognize the topics which support the organization’s mission and at the same time fit in the changing environment. A well-designed training program expands from a yearly and mandatory training to cover consistent and regular recap-training year-round. This guarantees that information security is part of the company’s daily activities and culture. The content of the training should be interesting and fun enough to encourage employees to change their actions towards more information secure routines also outside of work environment. As a result, the employees understand the importance of organization’s information security policy and actively recognize, notice and report possible incidents.
In order to reach a situation like this the following matters should be recognized:
- To whom the training is meant to? Different work tasks need different type of training. For example, employees working in IT and employees working in HR need different type of training due to the different nature of work tasks.
- What is communicated and how is the training communicated to employees? The aim of the training is to be as efficient as possible, but also relatively short. This also includes a risk analysis, which aims to indicate the biggest information security risks faced by employees and what routines need to be changed to reduce these risks.
- How will the training be organized? The main training often concentrates in teaching new matters and is usually carried out yearly or every second year. This can include lectures, online trainings or both. The recap training is used to strengthen the skills employees have learned in this training and it can consist of newsletters, tests or blog articles.
- Reporting the results to the management. Results can consist of for example unique performance reports of each department and how the training targets have been reached. Results can also be looked on a broader spectrum, for example percentages of monthly clicked phishing links, when a phishing campaign is part of the training, reported incidents or the number of shared/weak passwords in the organization.
“Training takes so much time”
Based on our experience, employers often justify the lack of training with time constraints, as it will be expensive for the company, when an employee isn’t concentrating on their actual work tasks. However, information security training is important, as it reduces risks for the company and the time spent on it, isn’t a waste of time or money.
Often, the employees who have risk behavior in following the information security policies also skip the trainings, as they feel it isn’t relevant for their work. This is, however, a great moment to remind employees about the long-term targets of developing the company’s information security culture.
The personnel’s information security training can be organized for example with the help of short online videos; thus, the employees don’t have to spend a lot work time on the training. Recap of the previously learned skills can also be done time wisely with short questions, as they also remind the employees of the skills they’ve learned. The training can also be executed as contest, where the scores can be followed by the whole organization and the winner is rewarded, for example with a tablet. This activates the employees to finish the training, while also taking into account the less competitive employees. The prizes don’t necessarily need to be expensive; the thought and action of rewarding carry a long way. If a competition isn’t an option, creating diplomas for the employees is also a good option.
How can we help you with your training needs?
At 2NS we help our clients to train their personnel to develop the personnel’s information security skills. We teach our clients to recognize and avoid the most central information security risks faced by employees, while also offering help in analyzing the results of the training.