Much has been said about Australia’s vulnerability to a cyber-attack. Since COVID, and the move to a working from home model, that vulnerability has increased.
It’s impossible for leaders not to know of the risk but, the frequency of hacks and number of organisations struggling to successfully lift cyber resilience, is high.
The reason is that there are several key challenges which are not being addressed now and could be.
One of those challenges is that organisations don’t develop, or buy, effective training.
There is some terrible training around. We’ve seen a lot of it. Usually it’s “online” training, which is the default delivery mode used to address cyber security risks.
Most people – if you actually ask – don’t enjoy “online” training, but organisations persist in using this mode for delivery. Why?
There are many reasons for deciding to invest in online training, one of which is that it’s cheaper than other modes. Cheap could be ok if you still achieve your outcomes, but if the training isn’t interesting, it doesn’t support changed behaviours, isn’t effective and therefore, cheap is a false economy.
Some organisations actually refer to this online training for cyber risk as “compliance training”. This term alone creates a barrier to learning before the audience even starts the training, which is the opposite to positive engagement.
Training content is often focussed on “compliance” requirements as the reason for learners to support the organisation to manage risk. Whilst compliance may be a motivator for certain people in certain roles… the reality is that it is simply not a motivator for many. If you think about your learners and work out what percentage really, truly, are going to be motivated by compliance, we expect you may find as many as 80% just aren’t.
If your aim is to achieve change, you need to give people a reason to want to help you to do that. Risk management is a far better motivator. We’ve worked with organisations and delivered face to face sessions where we’ve talked about the harms which would occur, if say, there was a data breach impacting community members. We often receive feedback that the team then had further discussion internally, because they were so concerned about the scenario discussed and wanted to ensure it didn’t occur.
Online training for cyber risk is often too long, poorly scripted, not tailored to the organisation’s culture, and delivered in an environment which does not support learning. Sadly, it’s often used as a tick in the box exercise which is unlikely to achieve changed behaviours to manage risk.
And on top of all of that, many organisations penalise users for not successfully passing a security exercise in an online training program, by requiring the user does more online training… which, when you think about it, is good way to get people to complain about training they didn’t want to do in the first place!
A successful solution resulting in changed behaviours gives users an incentive to engage and support the organisation’s security culture. So, to be clear, we are not against online training at ROI Solutions. We believe online training can be designed to be effective, with some thought.
The following are 6 ways you can get better outcomes:
- Don’t ever refer to the training as “compliance training”.
- Develop or buy training which is relevant to learners. That is, it’s tied to something the learner knows, understands, and finds interesting.
- Ensure the training is tailored for your environment and culture.
- Ensure content has been scripted in a way which leaves no room for confusion.
- Ensure the training is not overly long and is broken down into bite-sized chunks.
- Ensure the learner is able to complete the training in a suitable environment, free from noise and interruptions.
Really good providers of security training and awareness offer a “solution”, rather than a “course” to maximise the outcomes you can get from your efforts (and budget) to lift cyber resilience.
If you’d like to discuss our solutions for lifting cyber resilience, please contact us or just phone 1300 264 946.