Best Practices in creating a ‘Human Firewall’
By now, we all know that even the greatest IT equipment in the world cannot prevent all types of cyber attacks. So how do you go about preventing social engineering or phishing attacks within your team? Many companies assume a weekly or monthly email alerting employees to security risks is enough, or maybe even a training session once a year. More often than not, in reality, employees just delete or file away the email, or zone out during the training (if they even attend). So the message is never delivered and the employees aren't aware of the risks. Then, when an employee is targeted for an attack, they don't know what to look out for.
So how do you teach your employees about these risks in an effective an easy way that actually works? The vital component to effective employee security is not training on some complicated principles. In other words, toss the boring slideware and use methods and techniques teach people in a way that has been proven to help them understand and retain more of the content.
Here are a few learning principles you can execute to improve the security knowledge of your staff:
IT is not everyone's strong suit.
Having your IT professional speak about IT security will normally evoke an eye roll from almost everyone. This is what you are up against and need to figure out a way to turn that around into genuine interest. There are many practical examples you can use to teach a topic. By using examples that everyone has experienced, you can retain your staff's attention for longer and it will help them retain the information. 75% of people are visual learners. IT professionals should keep this in mind when planning a security training meeting.
It’s not a lecture, it’s a conversation
No one wants to sit and be lectured to, especially about a topic they don't care about. Be engaging. Tell stories, ask for stories from the users about things they have run into. Make it a conversation that gives examples on how a few simple steps and a new thought process regarding the release of information can improve the security of your company’s data.
Measure Success and continue to improve
Change normally doesn’t happen overnight, but it is important to track progress. Are there less incidents of phishing and/or social media attacks in your business since you began training employees? This data will help shape your future discussions on the topic. It wi
ll also aid you in finding what works, and what doesn’t. Then use this information to help influence future communication. Reference the personal stories in your follow up emails, refer back to them in future conversations, etc.
As long as cyber attacks are profitable for attackers, this type of training and prevention is necessary. Its important to have your staff on the same page to recognize and help prevent these costly attacks. All of the latest state-of-the-art IT equipment can’t prevent a internal user willingly giving away company documents to what they think is a legitimate source.