Technology Record - Issue 29: Summer 2023

68 VIEWPOINT How to develop security awareness training Organisations should focus on creating engaging, up-to-date content and use phishing simulation technology to teach workers how to minimise the risk of cyberattacks “For training programmes to be successful, they need to help employees prepare for real-world security scenarios” Millions of people and thousands of businesses are victims of cybercrime every year. With over 3.4 billion phishing emails being sent every day, according to Valimail’s Spring 2019 Email Fraud Landscape, phishing is one of the most common types of cyberattacks, alongside denial-ofservice and man-in-the-middle attacks. This means it’s crucial for employees to be able to recognise malicious emails. Cybersecurity awareness training provides employees with the knowledge required to protect confidential information from cybercriminals. It aims to educate all workers – including full-time employees, freelance contractors and any other individuals who access, share, store and edit organisational data – about the types of behaviours that amplify risk, such as clicking on a link, reusing passwords, or entering sensitive information into a suspicious webpage form. For training programmes to be successful, they need to be engaging and leverage phishing simulations and other web-based communication and reinforcement tools to help employees prepare for real-world security scenarios. This, in turn, will enable organisations to mitigate the risk of employees mistakenly disclosing sensitive information and reduce the costs associated with potential data breaches. We recommend that businesses follow four key pillars to deliver engaging and insightful training that will successfully change how their employees approach cybersecurity. 1. Create high-quality content Security awareness training programmes need to deliver high-quality and relevant content in order to attract employees to participate. This means they should include task-oriented instruction and content tailored to specific job roles. For example, the risk of cyberattack is highest for individuals who work in leadership roles and manage money and people. We recommend these managers go through a few phishing simulations to learn how to detect fake invoices so that they don’t share credentials unwillingly. Content should be created by a team of domain experts that understand adult learning and the current cybersecurity trendsand compliance requirements. Taskoriented instructions, customisable courses and microlearning modules will all engage participants in the learning process. 2. Choose whether to deploy personalised or pre-built training platforms Both pre-built and personalised security programmes deliver effective cybersecurity awareness training but it’s the level of efficiency MATTHEW FISH: FORTRA’S TERRANOVA SECURITY