How would you approach improving the security education training and awareness in an organization you know well (e.g. Temple as a student) but you will not name in your answer post and comments?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Hashem Alsharif says
Working for a Financial Institution, I found that security education was seen more of a nuisance rather than an essential piece of learning, When I went through onboarding training, there would be 20+ videos to watch every day and each video had the same monotone look with the same monotone rings. I wasn’t excited to learn about security policy. Rather than having security training done as an online course. I would have an instructor come in either in person or via zoom call. By having a person being the instructor, it makes the learning experience more personal. I would also include group practices to make sure every employee gets involved. It is through these group practices that each employee learns the importance of following company security policy. This also helps keep metrics more reliable because while yes a quiz may help track how many people took the course, it doesn’t take into consideration who actually paid attention as there’s nothing stopping the employees from randomly selecting answers on the quiz until they get the passing score. Some employees may also feel pressured to score well on a quiz/test rather than just learning the material.
Bo Wang says
Most companies choose free videos for employees to watch, and the worry is that many employees do not value the content of these videos.
Bo Wang says
I thought we could do a play about cybersecurity. Because this can attract more people to watch the drama, students can play the role in the case, and even interact with the audience. This can maximize the interest and attention of people in network security. To impress upon people the importance of security.
Ooreofeoluwa Koyejo says
Hmmmm, this is such a great idea and it will be an interesting one to watch.
Hashem Alsharif says
I like the idea of doing a play. Too often I find that companies don’t really give any creativity to teaching cybersecurity to their employees. By having a play, as you said, it would help retain attention and keep people interested. I wonder if there are other areas in cybersecurity that we can change in an effort to get more attention. Maybe plays can also be used to show the importance of teamwork/collaboration or used to boost performance in the work place? one thing is certain, the field of cybersecurity could without a doubt be more entertaining, and it’s our job to figure out new ways to teach and explain what we know.
Nicholas Nirenberg says
At a previous organization I worked for security was very important as sensitive data was often accessed. This meant myself an other employees needed to complete many cybersecurity training programs beyond background clearances in order to access such material . Unfortunately I found much of the training material to be boring and ineffective at getting their message across. Many of them were simple interactive slideshows or trainings masked as a fun game which were designed to make them more engaging than a simple document to read through. I think that while these were well intentioned, they weren’t great at actually informing me about better cybersecurity practices. Instead, they encouraged me to skip though it so I could get back to work. If I were to improve the training I work make it more brief while still containing all the content necessary. I would also focus more on then actual content rather than trying hard to make it exciting and interactive.
Ooreofeoluwa Koyejo says
I believe this feedback should be shared with the the HR and the cybersecurity teams within organisations so it is not a routine task done but that doesn’t deliver any form of value.
Celinemary Turner says
Your feedback on the cybersecurity training programs you encountered at your previous organization raises essential points about the balance between engagement and effectiveness. The employee engagement is a a key business driver for organization effectiveness.
Edge Kroll says
In my experience, most security training is done in the simplest most boring way possible. Oftentimes sitting through a slideshow, or a bunch of videos and then a quiz at the end. Obviously, most people don’t find cybersecurity to be particularly interesting ( their loss), but because of this, it is important to make the experience active, and personalized. Either using online meetings on Zoom for example, or in-person presentations, and allowing those who are being shown to work along with the presenter. This will allow for more in-depth explanations of the security processes, how to operate things safely, and also justification to each specific group of how they could potentially be impacted. I believe this would make this more engaging and emphasize the importance of good security processes
Ooreofeoluwa Koyejo says
I agree with the boring part and I believe this is because people approach it with a ‘requirement’ and ‘compliance’ perspective. Most often as part of an onboarding process. This can definitely be improved on when it is communicated as a need for personal advantage as well as in relatable content.
Ooreofeoluwa Koyejo says
To improve the challenge of low engagement with the security education training and awareness program in an organization, I will take the following steps to address it.
– Gather feedback from the recipients of the program to know why they do not engage or why others do not engage with the awareness sessions.
– From the feedback, I will approach teams/persons within the organization to support the plan to remodify the content and delivery of the awareness program.
– Identify and align with stakeholders with this recommended approach to modify the awareness program without taking out the objectives and goals as defined by management,
– Ensure management is in support of this new plan and receive adequate resources to facilitate it.
– Execute the plans and methods for the new form of security education and awareness program.
– Track the performance of the new methods and gather feedback from the recipients to ensure continuous improvement, adequacy and sufficiency of the methods implemented.
Yannick Rugamba says
I’ve gone through your proposal to improve the security education program. I must say it’s really comprehensive and well planned! Drawing from my IT background I would recommend incorporating real life situations or simulations. It’s similar, to how hands on labs tend to stick with us than plain lectures. By making the training interactive and relatable we can increase engagement. Perhaps we could even organize a competition or quiz after the training? It would be a way to reinforce learning and identify any remaining knowledge gaps.
Jon Stillwagon says
I would start by having two-step authentication for their employees and students to log into their accounts. I have noticed that they don’t have this factor implemented even though they have you update your password regularly it just takes one good try to get in and with a two-step authentication in place, it would be more secure. I would have the students watch an online video about phishing emails. I have noticed that there were some suspicious emails being sent directly to me but I knew that the email didn’t look like something from the school or a potential employer. I could see someone from the school receiving this email and becoming a victim because of it.
Eyup Aslanbay says
Absolutely, you raise a crucial point. In today’s digital era, updating passwords alone is not enough to ensure security. Two-step authentication acts as an additional layer, making it harder for malicious actors to gain unauthorized access.
Celinemary Turner says
Your suggestions for implementing two-step authentication and educating employees and students about Phishing are essential in enhancing cybersecurity within an organization or educational institution. However, Phishing remains one of the most common and successful attack vectors. Educating students and employees about phishing emails is crucial.
Celinemary Turner says
You make good points. However, Phishing remains one of the most common and successful attack vectors. Educating students and employees about phishing emails is crucial.
Eyup Aslanbay says
Based on my experience, I observed some deficiencies in an organization that I am familiar with. There was a lack of awareness about risks. For example, many individuals clicked on links from phishing emails. My approach to improving the security education, training, and awareness would involve the following steps:
1. Assess the current situation. Before any training or awareness initiatives, I would send another phishing email to identify my target audience.
2. Group by Role and Access. After grouping them by job and information access, I would initiate the training program, ensuring they understand the gravity of the situation using real-world examples, such as the Target case.
3. Management Involvement. Gaining the support and involvement of management is crucial. Their endorsement will not only add credibility to the program but also ensure that necessary resources and attention are given to these initiatives.
4. Continuous Awareness. Awareness isn’t a one-time event. It’s essential to continuously remind employees of security practices and the reasons behind them. Regular seminars, workshops, and communication campaigns can be beneficial in this aspect.
5. Regular Updates. The threat landscape is continuously evolving. Regularly updating the training material and awareness content to reflect the latest threats and best practices is vital.
By ensuring these steps are in place, the organization will be better prepared to handle and respond to various cybersecurity threats.
Celinemary Turner says
I agree with your outline; regularly assessing the organization’s susceptibility to phishing attacks is a proactive approach. It helps identify vulnerabilities and areas that need immediate attention. Keeping up-to-date training materials and awareness content is crucial in the ever-evolving cybersecurity landscape.
Celinemary Turner says
Improving security education, training and awareness in an organization is very important for safeguarding sensitive data and mitigating security risks. Here is the approach I will follow to enhance security education within the organization.
I will start by assessing the current state of security awareness in the organization. Conduct surveys and interviews to gauge employees’ knowledge regarding security awareness.
I will develop a comprehensive security program tailored to the organization’s needs.
I will gain support from senior management and make them advocate for security awareness.
I will develop interactive and engaging training materials. Such as e-learning, workshops, webinars and newsletter.
Moving forward, I will encourage employees to report security incidents or suspicious activity.
Regularly update content to reflect the latest security risks and best practices.
Recognize and reward employees who consistently demonstrate good security practices.
I will continuously be monitoring the effectiveness of the security awareness program.
By following this comprehensive approach and continually adapting to emerging threats, the organization can improve security education, training and awareness ultimately reducing security risks and strengthening overall cybersecurity.
Edge Kroll says
I really liked the part you mentioned about recognizing and rewarding employees who demonstrate good security practices. In my experience, it is usually a “comply or there will be trouble” type of attitude towards security practices, and this makes many employees follow the guidelines only because they are worried about being fired. Rewarding employees for following good security practices not only incentivizes those who may otherwise dislike the extra hassle of ensuring security, it also encourages these practices in a positive manner.
Yannick Rugamba says
To improve awareness of security I recommend incorporating real life stories into training sessions. For example organizing conversations where we can discuss technological challenges, over coffee can be an enlightening and engaging approach. Another idea is to have sessions called “Tech Tales,” where we share stories, about system glitches and how we resolved them turning them into valuable learning experiences. Additionally for a fun twist we could occasionally have “Cyber Quizzes” that are based on scenarios to keep everyone alert and blend entertainment with education.