Is the annual e-learning refresher training – doubtless supplemented with ad hoc simulation training – enough to ensure your employees really are cyber secure? How can firms ensure employees working from home (WFH) and working from office (WFO) sustain and apply positive and competent in-role decision-making months after the training course?
If, as most cybersecurity professionals accept, the people inside your business are one of your biggest risks, shouldn’t firms be focusing more on effectively analysing individual employee behavioural decision making (and fixing the gaps as they appear), rather than simply delivering perfunctory single point in time annual training?
Most firms run some form of cybersecurity awareness training; with most of it taking the format of an annual e-learning exercise that employees often resent but must complete to tick the box.
Some firms also undertake ad hoc simulation training that focuses on topical areas of security threats, rolled out to raise awareness of prevalent issues to all employees, and are often backed up with supporting training materials that are available for employees to access on-demand.
But how many employees are self-electing to improve their own competency knowledge, and how confident are firms that competency levels are being maintained whilst employees are working remotely due to COVID-19?
A recent study conducted by Elephants Don’t Forget which was distributed to over 2,000 L&D practitioners concluded that just 3% of firms have seen a large increase in employees self-electing to consume online training material. In the same study, 65% of firms reported that the volume of staff self-election training materials has remained the same or has actually decreased.
To further compound the situation, in a pre-COVID-19 study that analysed over 74 million individual employee interactions, the data showed that the average competency level amongst tenured employees – many of whom are working in firms within the financial services sector – was just 54%, meaning employees only really know half of what they need to perform their roles and not pose significant cybersecurity or compliance risk.
Now, more than ever, with cyber-crime at an all-time high and investment scams impersonating a regulated financial services firm increasing by more than 600 per cent over the past decade, firms need to adapt their methodology to ensure that employees are supported, assessed, and engaged in cybersecurity competency.
Adrian Harvey, CEO of Elephants Don’t Forget, said: “IT professionals recognise that they must train employees to be cyber secure. Most also accept the current training methodology is, at best, imperfect and, at worst, ineffective. Simply satisfying training delivery – without ensuring competency is achieved and, crucially, maintained – is a sub-optimal strategy. Firms need to continually assess individual cyber capability and when gaps are identified, instantly fix them”
Traditional workplace security awareness, training and education has a reputation for being mundane, infrequent, or worse, lacking in relevancy to specific roles.
Harvey added: “It’s about consistency. Training at onboarding, six months, and annually does not provide employees with effective patterns of learning behaviour to retain and apply their knowledge. Combined this with the fact that employees are being deprived of vital peer-to-peer learning and face-to-face training due to COVID-19, firms face a huge amount of behavioural employee risk-taking if competency is not being proactively maintained, analysed, and improved.
“We use award-winning AI (Clever Nelly) to augment and support employees, both newly hired and tenured to continually assess competence and automatically repair any gaps or knowledge fade. It takes less than 1 minute 30 seconds of an employees’ day and usually costs less than £10 per employee, per month”. And, unlike anything else your firm might have tried in the past, we underwrite the effectiveness of our AI, with a 100% money-back guarantee if it doesn’t work.”
