Most companies offer recurrent training to their employees. From how to use Excel and create PowerPoint presentations to life skills like first aid, how to talk in front of other people and ways to improve at their job. Now that the Internet and email correspondence, as well as other communication platforms and file sharing, make up a huge part of everyday business, companies have been waking up to the fact that their employees need cyber security awareness training to use these things correctly and safely.
Hackers Target Individuals, Not Systems
Once upon a time, hackers simply hacked the software or systems. Companies then invested in state-of-the-art firewalls and security systems which made it next to impossible for hackers to get in. So why do we still have breaches, leaks and theft of valuable private data?
Hacking individual people has become the way to go for cyber criminals. And it’s easier than getting through firewalls and code. Hackers now rely on employees, from administrators to on-floor staff, to make mistakes and let them in. This can be done through various ways, from regular phishing to spear phishing, false links or attachments, unpatched software, pop-ups, USB drops or tailgating, even good old-fashioned spying and eaves dropping.
The threats are everywhere, and one click of a mouse could mean the difference between thriving and failing. Therefore, more and more companies are realizing that they need a strong security culture and have started cyber security awareness training with their employees.
Don’t Let Your Cyber Security Awareness Training Bore Your Employees
So, what kind of cyber security awareness training have companies been offering their employees? Many have gone with the generic hour long (or more!) mandatory lecture on the threats and pitfalls of the internet. This type of training takes employees away from their important work and disrupts their workday.
Several studies have shown that employee training can be ineffective when done this way. This McKinsey & Company report found that only 25% of respondents felt that training programs had a measurable improvement on performance. Online training company 24/7 Learning published a study in 2015 that showed that only 12% of employees apply new skills learned in training to their jobs. Lectures and seminars are, simply put, ineffective.
Ditch the Lectures
While companies spend hundreds of billions on employee training each year, keeping training going just for the training’s sake would be a mistake. Companies now find that they need to curate the training they offer towards the receivers. Mandatory cyber security awareness training that takes employees away from their desks, and effectively sets them back in their schedule, is not likely to succeed. And what’s worse, it gives a false sense of security. Employees will resent the training on principle and lose focus. Additionally, retention of knowledge will be minimal when employees arrive to their training with a negative mindset.
By 2025 millennials will make up 75% of the workforce. By now, they have already surpassed GenXers as the largest generation in the workforce. Used to watching videos, accessing social media posts, searching for retailers and products online and checking their accounts multiple times a day, millennials are used to getting their information quickly and in small pieces. This is also the case for other generations, everything outside of work, is delivered in small doses.
To train these employees we now need to think about how they are used to getting their information. Microlearning is a method that uses small moments of learning to drive employee development. It is short, to the point and builds on the employee’s general knowledge. Microlearning is a reminder of a previous knowledge or issue and based on short, repetitive learning to increase long-term comprehension.
Cyber Security Awareness Training That’s Short and to the Point
Studies have shown that employees are more likely to use their company‘s LMS (Learning Management Software) if the lessons are shorter. Long courses are harder to focus on and get in the way of productivity. Every company with a healthy respect for the cyber risks out there should want to offer only the best available training methods to their employees. It saves both time and money for the company and helps the employee learn and retain more knowledge.
Busy employees might not have 20 minutes to spend on a training course but getting them to spend 1-2 minutes learning about just one topic that will help keep their company safe will be much easier.
Test the training content and Human Risk Assessment with your colleagues