There has never been a more crucial time to provide cybersecurity awareness training for employees, according to CIRA, Canada’s Internet Registration Authority.
Remote work presents a new challenge in cybersecurity, said Mark Gaudet, CIRA’s Business Development and Product Manager, at a recent ITWC webinar. “Ninety per cent of malicious data breaches come from attacks that target people,” he said. Now that most employees are working from home, “we’re seeing an increase in the number and sophistication of phishing attacks.”
Webinar On-Demand: Security training in the new age of work from home
This new age of working from home calls for new policies and education, Gaudet said. CIRA offers a training platform to give employees the information they need to protect themselves from cyber threats and to create a culture where employees will report issues.
Can security training really change behaviour?
Too often, training is provided on a “one and done” basis, with no follow-up or feedback. To be effective in changing behaviour, Gaudet said that a training program must do three things:
1. Make your training feel real
CIRA’s platform provides a personal dashboard for all employees, giving them a risk score based on their level of training and the number of security incidents they’ve had. Scores can also be improved by reporting phishing attempts. Employees will receive training modules and a series of simulated phishing emails. Those who click on a phishing simulation will receive immediate feedback on how to spot the issues they missed. They will also be enrolled in a course about that type of phishing attack. “It makes you more aware of phishing emails because it impacts your score,” said Gaudet. Employees can also compare their scores to the corporate average, “creating a motivation for people to improve.” The platform allows management to track progress for each employee and to spot areas in the organization that need more attention.
2. Customize for your organization
Cybercriminals are increasingly using spear-phishing emails that rely on company-specific information or current market events to trick employees. For example, Gaudet noted that the latest email attacks might refer to Zoom videoconferencing or work from home policies. That’s why it’s important for organizations to be able to customize training simulations to be relevant to the organization or to prepare users for real-time threats, he said.
3. Connect training to behavioural change
Effective security training programs enable organizations to track behavioural change, said Gaudet. When they start using CIRA’s platform, employees will take a baseline survey, including topics like password reuse or incident reporting. A post-training survey will demonstrate whether their behaviour has changed. “This information can really help you understand the perceptions of staff so you can target your training,” said Gaudet.
Cybersecurity training goals
When choosing a training platform, organizations should look for a customizable turnkey solution that won’t take up the time of IT staff. The cloud-based CIRA program synchronizes with your email system so every employee is engaged once you turn it on, said Gaudet.
Prior to starting the program. organizations should define their goals. For example, CIRA wants to see less than a five per cent click rate on simulated phishes and it wants employees to report phishes 100 per cent of the time, he said. “The idea is to really encourage people to report things and to create a positive cyber security culture.”