There, however, complications may arise. The person who decides staff awareness needs to be raised is not necessarily the person responsible for arranging the training. And although the first person sees an obvious problem, the latter may not solidly understand what cybersecurity training is, how to train staff, or even why the training is needed.
Let’s imagine that you’ve been tasked with raising cybersecurity awareness. First, what does cybersecurity awareness really mean? To nail that down, Kaspersky worked with market research firm to gather input from 5,000 companies around the globe about their understanding of the problem and the impact of individual employees in certain cybersecurity incidents. In short, Kaspersky found:
The “how” part of the equation is also very important. Multiple courses, lectures, and workshops are available. But training means spending time and money; you need to be sure you’ll get results.
Take, for example, the problem of incident concealment. You can gather employees and tell them that reporting cybersecurity incidents is important. They will probably say they understand — and keep concealing the incidents, hoping to evade responsibility.
A better approach is to understand their motivation first. In many cases, employees were informed of the strict rules by their managers or information security officers, but no one really explained the rules. Sometimes, management and the information security team also require training — training on explaining the rules.