Have you ever taken one of those stupid on-line health and safety compliance tests? After you read 20 minutes of mind-numbing information about H&S policies and procedures, they ask you things like, “Do you need to wear your PPE in a Red Zone?” or “Is an ABE fire extinguisher to be used on wood fires and electrical fires?” You can count on the fact that you will not remember any of it within 5 minutes of ‘passing’ the test.
Unfortunately, some of us are starting to do the same thing with cyber security awareness training. We make people go on-line and read 20 minutes of mind-numbing facts and figures about cybercrime and about cyber security behaviours, policies and procedures, we then ask them simplistic questions about it … and of course, we let them take the test as many times as they need to in order to finally pass it (that is, guess all the correct answers). We then make-believe we feel satisfied as we have ticked the proverbial box and we report we have raised cyber awareness and we are done. That is, of course, a dangerous and insulting waste of time, money, and energy, for the organisation and the individuals involved.
Cyber awareness raising must be done live either face-to-face or via teleconference (for example via something like Zoom or Teams) because it requires thinking and discussion. The awareness raising sessions must be focused on making cyber security personal, relevant, and important to the individuals involved otherwise, it will not sink in and they will not change their behaviour. Successful awareness raising and security training, as with H&S training, also requires repetition and reminders because we so easily become complacent. Any one-off training and testing is useless and dangerous because we falsely believe we have made a difference when we have not.
Do not fall into the compliance trap and think that ticking the box is anything other than a waste of resources.Invest in your people and your organisation’s culture.You will reap productivity benefits, reduced staff turnover and increased cyber secure behaviours … and, of course, contact us at CCS if you need help (www.culturalcybersecurity.com).
Comments