Compliance Does Not Equal Security

I see this a lot - companies doing a short 1/2 hour online cyber security awareness course. They tick the box that their compliance is done, and that their staff are cyber security aware. When I ask the staff from companies like these how the course was, they can't really remember much about it.

Is that the goal of cyber security awareness training? To tick a box and say you did something to meet a compliance requirement? The problem here is that in terms of reducing your cyber risk profile, the outcome is pretty poor. And of course that translates into cost, loss of information, and sometimes worse.

Cyber / IT security awareness is about getting everybody on board, from the execs to the cleaners. It's about having them understand the risks, knowing how to think, knowing how to act, keeping them updated on new risks, and embedding it into the organisation as a day to day living thing.

When this is done properly, it pays for itself. When you have a rough hack at it to tick a box, it will not pay for itself, and it will probably end up costing you money.

It's really hard to engage people with an online computer based course. It's better than nothing, and it's probably a good starting point, but to really gain understanding staff need to be interested to learn. That's incredibly hard to do without someone being there, engaging with them, and discussing cyber security awareness in terms of their organisation and their experiences.

So if you treat cyber security awareness as a compliance exercise, be aware that you're probably still accepting a high level of cyber security risk for your organisation!



Get in Touch

Contact Details