"One-off security and awareness exercises do not guarantee your security."
The is what the FCA reported in March this year in a new cyber security industry insights paper. The paper was published to help organisations across the financial services industry build their understanding and interest in innovative cyber practices.
The reality is that organisational resilience and security against growing cyber-attacks really is a team sport. The great majority of successful cyber-attacks succeed because of the mistakes we make – clicking on a suspicious link or attachment, sharing personal information on social media that can be used against you, continuing to rely on poor passwords, accessing sensitive information via insecure public wi-fi…the list goes on.
Annual information security awareness training does little or nothing to build the right culture and environment for behaviour change. For many in financial services organisations it’s ‘tick-box tedium’. Like any technical security control in our organisation any awareness training must be effective.
In their paper the FCA go on to say: "Think long term and design a user education and awareness programme that constantly weaves cyber security into th culture and beahviours of your organisation."
It’s all about making sure we are providing our people with the appropriate digital skills that will instill and sustain the right behaviours across our workforce …whether you’re in the boardroom or on the frontline.…on a continuing and engaging basis. The challenge remains how we can truly engage our workforce so they feel they have the know-how, confidence and motivation to do the right thing at the right time in the face of growing and ever-changing cyber threats.
There are some key learnings from Unicorn's experience in offering GCHQ certified online cyber awareness training to client organisations that can help:
- Keep it personal - Provide story based training about how your workforce can better protect their own or their families’ information;
- Keep it appropriate - Nugget based (microlearning) training that’s aligned to your particular risks assist in giving simple, practical advice quickly and concisely;
- Keep it simple - Demystify cyber security through plain English to explain the risks we all face at home and at work;
- Keep it regular - A managed campaign that provides regular refreshers and reminders (online and offline) works well in reinforcing behaviours and building collaboration;
- Keep it relevant - Offer training that’s aligned with the tasks your people perform as part of their job;
- Keep measuring - Make sure you track adoption rates, progress against your targets and to identify common gaps in your people’s understanding;
- Keep it immersive - Use gamification and other new training techniques to immerse yourselves in recognizable scenarios, like games, to grow understanding and memory retention, and finally;
- Keep listening and adapting - Involve your people in finding out what’s working and not working so well in your campaign. They’re your audience and will be a source of great new ideas
Our digital skills need to play a key role in our organisational resilience. It really is a team sport and we need to make any training engaging, relevant and fun to motivate all our people do the right thing.
About RESILIA: As part of AXELOS, RESILIA provides cyber resilience best practice training to clients around the world. RESILIA Frontline is GCHQ certified cyber awareness training that provides engaging, immersive, short and cost-effective online awareness learning for all staff.