I've been in the trenches of cyber security awareness for quite a few years now. In that time I've made a lot of observations, so here's my list of 10 hard truths for what NOT to do:
- Don't give training that is boring. People don't like boring, they don't learn, they don't change behaviours.
- Don't give people the opportunity to multi-task. If they are doing two things are once, they are doing two things badly at once. If someone is doing awareness training while checking their emails, then really they're just checking their emails. Money, meet drain.
- Don't leave management out of training sessions. They should be in on every session, leading from the front, asking questions, and showing others they care! If they're sitting in on a session and using their laptop, frankly, they're not a leader, they're a bad example and the cause of a wasted opportunity.
- Don't talk about protecting the business. Instead, talk about personal impact. Newsflash - people don't care about the business much. What they do care about is their own money, and their own confidential information.
- Don't punish someone for getting tricked. It's not their fault. Be supportive, give them help to not get tricked again. If you reprimand them, they will probably never report being tricked again, and that WILL be a disaster.
- Don't train for compliance. Ticking boxes means you'll do the minimum, and get hacked more often. If you give people minimal training for compliance, you are spending money with little to no financial benefit. They're not learning, and you've still got vulnerable people.
- Don't call people the 'weakest link' . Ever. If you're responsible for risk and you don't equip your staff to deal with cyber criminals, then YOU are the weakest link. Also, you can't seriously expect people to change, if you've blamed them for a problem that isn't theirs. That's just demotivating!
- Don't do awareness training once every 3 years, and expect to be safe. You're not. What you are is a ticking time bomb. Cyber security awareness is not the core job of your staff. It takes good training, and reinforcement to build knowledge, and change behaviours. And what are you doing with the new staff in this time exactly?
- Don't forget about suspicion. If you want people to be aware, they first have to be suspicious. Build that little voice in their head that is constantly asking "could this be a scam"? Suspicion leads to awareness, because people will naturally question, and look for answers. That leads to behaviour changes, and that leads to a culture of awareness. So peak their suspicion, by talking about scams regularly.
- Don't complicate things. Keep it simple, like 16 years old simple. If you talk about smishing and vishing and qishing, you're filling their brains with stuff that just doesn't matter. They mostly need to know about things like common scam warning signs, links, file extensions, and procedures for checking information.