It is not a case of “half-a-day’s training is better than none at all” but one of “all hands on deck!”

With an ever-evolving cyber threat landscape and a growing hybrid- working environment widening corporate attack surfaces, it is imperative that organizations in the Asia Pacific region (APAC) are proactive about cybersecurity.

Although choosing the right technology to combat cyber risks is essential, gaps in human performance must be addressed: more often than not, cyber incident statistics globally indicate that 90% of security breaches involve human error.

A strong cybersecurity culture is essential to empower a “human firewall” to prevent attacks. Today’s tech leaders need to establish effective training and awareness campaigns to ensure all employees are educated about cybersecurity. Unfortunately, two trends and attitudes about cyber training are potential causes of long-term problems in establishing the right cyber-aware corporate culture.

Two worrying cyber training trends

Firstly, some organizations make the mistake of treating cyber training a one-off or annual event, even if it is a grand affair.

Secondly, some organizations leave the security responsibilities mainly to the IT and security teams, not realizing that employees need to understand their valuable stake in cultivating and nurturing a strong cybersecurity culture. 

To address these two misguided approaches, organizations should make cyber awareness training continual, consistent and engaging. In this way cyber awareness training can vastly reduce the risk of cyberattacks or at least limit the blast radius; minimize financial loss and damage to brand reputation.

Stanley Hsu, Regional Vice President (Asia), Mimecast

Making cyber awareness attitudes innate

Research has shown that employees who receive consistent security awareness training are more likely to spot (and avoid clicking on) malicious links than those who do not.

For example, employees could be tricked into clicking on phishing links or plugging-in hardware devices that are infected with malware — leading to devastating outcomes for businesses. However, with effective training and refresher courses and reminders, employees will be made more vigilant and more consultative at the slightest encounter with social engineering tactics and suspicious business activities.

How can cyber awareness training program be made more effective? Here are some tried-and-tested tips:

    • Address all the mistakes that employees may make in email management, collaboration tools and the web. It is equally crucial to implement practical elements such as phishing simulations or even de-weaponizing real-life attacks.
    • For training to stick, the training needs to be persistent and delivered in small doses to fit employees’ busy schedules.
    • Most importantly, positive reinforcement and humor have been proven to lead to better outcomes in improving retention of critical security topics, as opposed to fear-based or boring content.
    • Where in-house trainers and programs are not available/accessible, organizations can turn to third party training firms specialized in this field of education. Ensure that such providers deliver content in a fun, engaging and educational way, through the use of multimedia resources; and that the content is industry-specific, easy to administer and fine-tune, and feature comprehensive tools to gauge and certify learner progress.

When it comes to cybersecurity, we are only as strong as our weakest link, and a robust cybersecurity culture has to comprise employees who understand the impact of their actions at work or even off work — however small.