How Can CIOs Teach Their Employees About Cybersecurity?

CIOs know that training employees is the key to keeping their network secure
CIOs know that training employees is the key to keeping their network secure
Image Credit: Merrill College of Journalism Press Releases

I think that we can all agree that keeping the company’s network secure is one of the person with the CIO position’s most important tasks because of the importance of information technology. However, no matter how many firewalls we put in place or how effectively we implement two-factor authentication we still need to understand the weakest link in our security system: our employees. What this means for a CIO is that we are responsible for training our staff to not make silly security mistakes. How best to go about doing this? We had better come up with a good solution otherwise all of the fancy security tools in the world won’t be keeping the bad guys out.

A New Approach To Cybersecurity Training

How does your firm do cybersecurity training today? If your company is like most companies, then what you try to do is to scare your employees into doing the right things. Most companies have policies that state that they will punish employees who make security mistakes. What happens when there are polices like this is that all of a sudden security training becomes a big turnoff for employees. Most of the training that we provide to our employees covers things like trying to teach them to not click on suspicious links that they may receive or making the mistake of using a weak password. It turns out that this type of training doesn’t work – employees still end up making security mistakes.

This is the reason that a number of companies are now changing how they approach cyberscurity training. The person with the CIO job is trying all sorts of creative things such as contests and prizes as a novel way to teach employees about how to stay safe when they are online. For CIOs who are not comfortable doing things like this, there are other approaches that allow them to rethink their training courses in order to find ways that will allow the students to become more comfortable interacting with the course instructor. Initial feedback seems to indicate that these types of changes are working.

The reason that CIOs are willing to take at look at how their firms are delivering cyberscurity training (and make changes) is because the largest threat that their firm is currently facing comes from within. The careless employee is the hackers’ easiest way to gain access to the company’s network. CIOs have been trying to teach the company’s employees the correct ways to act when online; however, studies show that 91% of cyberattacks begin with a so-called “phishing” email in which the hacker gets an employee to click on a link that will provide the hacker with access to the company’s network.

Getting The Word Out

The CIO’s goal is to get the employees who are taking the cybersecurity training class to pay attention and learn what they need to be doing. One unique way that they are trying to make this happen is to take the time to train employees who don’t have a security background to deliver the cybersecurity classes. These new trainers are then rewarded with incentives to help out their coworkers by delivering training classes, hosting contests, and basically getting the word out about cybersecurity in a way that is both nontechnical and nonthreatening. The instructors are rewarded with points that can be turned into cash or used to get things that they desire at work such as a special parking spot.

The problem that CIOs are facing is that most of our companies are currently using such things as cybersecurity awareness tests and off-the-shelf tutorials. These simply don’t work. The reason that they don’t work is because employees see them as a chore and don’t pay attention. Unfortunately, no matter how much time, energy, and effort is spent trying to warn employees about even simple security measures, our efforts often fail. In a now classic experiment, in 2015 a security company dropped 200 USB sticks in airports and coffee shops around the U.S. What they discovered is that a significant number of people who found the USB sticks picked them up and plugged them into a computer not stopping to think if they could be infected with malware.

The good news in all of this is that studies have shown that when games and other incentives are used to teach proper cybersecurity behavior, they do make an impact. Employees have been shown to change their behavior after they engaged in a phishing exercise that sent them encouraging emails when they did something right and reprimanding emails when they did something wrong. It turns out that feedback and behavioral reinforcement messaging was found to lead to improvements in risky cybersecurity behavior. CIOs have discovered that if they can use gaming methodology to deliver their cyberscurity training then they can make it competitive between students in the class. No matter how they do it, CIOs need to find ways to make their cybersecurity training effective!

What All Of This Means For You

CIOs are responsible for making sure that the company’s networks are secure. In order to make this happen, we invest in a lot of sophisticated hardware and software in order to both detect and deter the bad guys. However, it turns out that our greatest network security threat comes from the inside – our own employees. This means that the CIO needs to come up with an effective way to deliver cybersecurity training.

Traditionally, companies have delivered their cybersecurity training in a way that was designed to scare their employees into not making security mistakes. However, studies have shown that this type of training is not effective. A much more effective method appears to be to make the training more fun by using contests and prizes for students. This type of motivation appears to do a better job of communicating the information that CIOs want the cybersecurity course students to learn. Another approach that is being used is to train employees with no security background to deliver the cybersecurity courses. This allows the material to be delivered in a non-threating, non-technical way. Many companies are still trying to use off-the-shelf courses to deliver their cybersecurity training. This has been shown to not work. A better approach is to use games and incentives to get this important information across.

The only way that the company’s network is ever going to be really secured is when each and every employee understands their important role in making this happen. The CIO has the responsibility to create and deliver cybersecurity training that will allow this to happen. If we take the time to study what kinds of training work the best, then we can create training that will work at our company.

– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: Do you think that employees should have to take cybersecurity training every year?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.


P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

Just in case you’ve been living under a rock for a while, you may not be aware of this thing that is being called the “internet of things” (IOT). What people are talking about when they talk about IOT is the growing number of devices that can be connected directly to the Internet. In a typical work environment this can include everything from copy machines, fax machines, coffee machines, and even video cameras. There are a lot of benefits that come from this connectivity; however, at the same time the person in the CIO position need to become very aware of the downsides that are associated with tying all of these devices to the internet.