We all bathe regularly—some more often than others, but we all get introduced to the soap from time to time. We do this for a reason. The build-up of grime and dirt on our bodies has to be removed somehow.
It’s the same way with cyber security training; in this case, though, it’s not dirt that must be removed, but laziness and bad habits. Most training systems have a requirement for periodic refresher training. Sometimes the refresher training is actually carried out, and users have a chance to build on what they know. But most of the time, after the initial training in cyber security, it is just ignored. This is a mistake.
The Department of Defense, the Australian Federal Police and the Australian Security Intelligence Organisation all have a policy of ongoing training in what happens with their digital assets. The reason is simple—people forget. They forget the basics, and by forgetting the basics, they put the organisation in danger. It takes continual reinforcement to prevent this.
In some cases, reinforcing the security message can be subtle—strategically placed posters around the office, a clean-desk policy enforced by everyone, or simply a requirement of locking the computer when you leave your desk. In other cases it is more comprehensive—ongoing training concerning what information needs to be secured and how to go about securing it.
In small and medium businesses and not for profit organisations, we need to enforce the basic security policy training with additional features. Some of the steps that I recommend are:
- A regular 10-minute instruction on some component of business security, physical or digital, as part of the regular business processes.
- Run a Cyber security completion within the business. Make the whole process amusing and interesting, and people will start to understand the importance of protecting your digital business assets.
- Have a cybercrime/cyber security article in your monthly newsletter. Inside is good, but external is better. With an external newsletter, you are projecting your security envelope outside your business, and internal people start to realise how important it is to the business. (Just ask, and you can use any of mine.)
You will always get pushback from people who are too busy, not interested, or have the attitude that “it doesn’t pertain to me.” This is a chance to show that you are never too busy to protect the business assets. Even if they think they are not interested, hopefully the additional training will stick, and the mantra “Cyber Security is MY problem” will start to sink in.