We all know the importance of keeping our businesses safe by making sure our employees understand how to recognize and avoid cyber threats. And most businesses with a digital presence at this point have responded to this reality by instituting some kind of cyber security awareness training.
But there are still lots of questions here: what exactly should go into training like this? Why do businesses keep becoming victims in spite of their training policies? And how often should businesses go about it?
Why Once a Year Isn’t Enough
For many organizations that do cyber security training, the event has become routine, something that happens once a year. Unfortunately, it’s also something that rarely gets talked about outside that once-a-year event.
That’s in part why once a year isn’t enough: something that most people find rather uninteresting and that only comes up once every 12 months just isn’t going to take hold. It isn’t going to radically transform the way your people relate to technology.
Another reason why once a year isn’t enough is that cyber threats evolve at a much faster clip. The bad guys aren’t waiting until the calendar turns over to invent new types of attacks. Instead, they are constantly innovating and looking for new ways to do damage.
Why Most Cyber Security Training Falls Short
The problem with most cyber security training isn’t just frequency; it’s also content and delivery. Most cyber security trainings are dull and non-interactive, often taking the form of videos you watch, text you read, and check boxes you check.
Clicking through a slide deck or watching an uninspiring corporate video just isn’t going to move the needle for very many of your people.
What they need instead is something that is interactive and that connect on a personal level. They need an approach to cyber security training that embeds itself into your company’s culture, and they need to understand the stakes — in real-world terms that connect to their day-to-day work lives.
How Often You Should Do Cyber Security Training
To be honest, “how often should you do cyber security training?” is the wrong question. This assumes that cyber security training is an event we mark on our calendars, but we believe there’s a better way.
Instead of making cyber security awareness training, an annual or semi annual or even monthly event, consider changing your approach entirely. What if you implemented small, regular, friendly interventions that nudge employees toward safer digital choices?
You probably already see some of these in applications you regularly use: Microsoft 365 warns users when a file has been downloaded from the internet, and typically opens that file in a protected view. Of course, most of us view that as an annoyance rather than a help, so it’s not a perfect example of what we mean.
But even if we are annoyed by those prompts, they’re still subtly reinforcing the truth that files downloaded from the internet can be an attack vector, a way the bad guys sneak through your business’s defenses.
We are not suggesting that there is no place for annual cyber security training. For many organizations, this is still a good idea, although it’s worth taking a close look at how your business is approaching those annual trainings. Rather, we are suggesting that a more proactive, culture shifting approach to cyber security education will lead to better results.
The Blue Ridge Technology team is here to help your business with any and all of its technology needs, including cybersecurity strategy and cybersecurity awareness training. Is it time to rework how your business approaches cybersecurity? Reach out to our team — we’re happy to help.