Generic versus bespoke cyber security training: What’s the…
20th January 2016
Cyber security affects everyone. High profile businesses are victims of malicious hacks, but more frequently data security breaches occur due to normal staff making avoidable mistakes.
Whatever your strategy for keeping your data safe, training your staff in potential threats and making sure they can deal with data securely is critical to reducing your risk of a breach.
For some organisations a generic, off the shelf option might be the most suitable, but others will benefit from a custom-made training approach.
We’re going to run through 5 questions you can ask to work out which option would be best for you.
When do you need the training?
If you’re in a rush to get the training delivered to your staff then off the shelf is going to offer the fastest option.
In some cases you aren’t going to be able to offer a comprehensive programme that deals with the nuances of your case and you may decide the minimum requirements are enough.
When a short time scale isn’t critical it’s worth considering bespoke cyber security training from a provider who can assess your needs in depth. Once a custom-made elearning course is completed it can be deployed quickly but the creation does take time.
Having more time to create the course means a detailed assessment of the needs of all the different roles in your company can be carried out. It’s even possible to create a short course with the core elements, test it, and produce more to fill in knowledge gaps.
The biggest benefit of a bespoke approach is its flexibility and changes can be made at each stage to ensure your individual needs are met.
How much of your data security is off the shelf?
Many consultants warn against using an off the shelf data security strategy for your business. There are concerns that a one-size-fits-all approach to security means many companies overlook risks that are unique to them.
Parts of your cyber security procedures will relate to legal requirements for the data you store, and as such a part of the training is going to match those processes.
The Data Protection Act for instance controls how a business can use personal information from customers or clients. It’s likely that some of your procedures will deal with the requirements of this act.
Training on how to deal with information requests from customers will need to be undertaken by many frontline staff. This type of training could be delivered using a generic course that offers a good grounding in the key points of the law and how it relates to the type of data held by your company.
Less easy to handle are the exact processes that go on in your organisation, often as part of meeting legal requirements, that are unique to your situation. This is where a custom made or bespoke cyber security training course comes into its own.
Elearning can offer an advantage over traditional training in this case by allowing one course to be built which incorporates the requirements of different roles and enabling the employee to select the relevant route.
How many staff need cyber security training?
The Verizon 2015 Data Breach Investigations Report identifies 9 categories of breach. Two categories, miscellaneous errors and insider misuse, make up 50% of the incidents they recorded in 2014.
Insider misuse is the phrase used to describe data breaches caused by trusted parties within an organisation. Many of these incidents could have been avoided had better training been available to the staff involved.
Your instincts might be to offer training to network administrators and other technical staff, but the Verizon report shows that non-technical end users are responsible for 37.6% of breaches caused by insider misuse.
The answer for most modern businesses is to provide all staff with cyber security training. They don’t all need the same course but they all need some sort of education on the responsibilities they have to keep information secure.
Often off the shelf training is priced per user, if you have a small workforce that requires very similar training this is likely to be the most cost-effective option.
The costs quickly escalate when large teams are involved, and the more employees, the more likely you are to need to cover different knowledge areas.
A company employing 100 people or more will likely see a better return from a bespoke solution. The training can be tailored to the needs of various roles and as the number of users increases the cost per user goes down.
Does your training need to be delivered in different territories?
Multinational companies have more challenges when it comes to cyber security training. Not only do laws differ between countries but the infrastructure and hardware systems are often different too.
Add the language translation and localisation requirements into the mix and it becomes incredibly hard to offer a consistent, off the shelf solution that meets the needs of all employees.
Elearning can be delivered online, translated and localised quickly and is more easily tailored to the different hardware devices it’s likely to be used on.
Using responsive elearning can offer a true multi-device training programme that doesn’t need to be redesigned for all learners.
A custom-made course can take into account the different geographical areas it will be needed and make it even easier to localise the relevant content from the outset. If you’re a multinational company bespoke training is usually the best option.
Is off the shelf training personal enough?
We know that employees react better to personalised scenarios. If you can explain the specific risks and benefits to a member of staff using a situation which they are familiar with they are more likely to retain that knowledge.
Custom-made elearning is one way this can be achieved. Using techniques like branching scenarios you can even take into account different staff roles within the same course.
If you find your staff lack enthusiasm for training this can be one way to engage and motivate them to increase their performance.
As well as making the training personal to the learner you will also want to put your own brand identity on the course. Using generic content makes this impossible beyond the most basic of adding logos and tweaking colours.
A custom-made elearning course can incorporate the company’s style and branding to make sure it’s consistent with the culture of the organisation.
Where do I start?
Alongside answering these five questions, it’s good to also review your current data security strategy. If you don’t already have a formal strategy in place there are resources available to help create one.
Many guidelines are available to help identify areas that could be at risk and possible ways to prevent breaches. Symantec’s Security Threat Report has a brief check list which is a great starting point for analysing your information security processes.
For a more in depth assessment the National Institute of Standards and Technology (NIST) produce the Framework for Improving Critical Infrastructure Cybersecurity which goes into much more detail.
If you want to talk about a bespoke cyber security elearning programme for your organisation get in touch.