GUEST ESSAY: Here’s how to fix what’s wrong with your employee security training

By Marie White

More than ever, chief security officers are being held accountable for keeping their business safe. Phishing attacks, data breaches, ransomware and the ever-increasing access by employees to technology and data are driving this accountability. But there’s only so much that technology solutions can do to protect against threats.

What else should organizations do? It turns out that most breaches are the result of an employee mistake, so looking to their staff as their first line of protection is a critical success factor today.

Related story: Security awareness training gets a much-needed reboot



Security awareness training is now recognized as one of the critical components of a robust security architecture. But are employees getting the security awareness training they need and deserve? Unfortunately not. Too many organizations still choose to provide no security awareness training at all, or simply provide annual PowerPoint-based training program, or training that is dry and difficult to understand.

Employees often think they’re prepared or think “that’ll never happen to me”—until it does. Then the employee often is too ashamed to go to their boss or IT department after an incident occurs.

The information and best practices the employee received from training were never understood, didn’t seem relevant, or just didn’t come back to them.

What happened? Cyber attacks aren’t changing every five years—it’s more like every five months—and organizations can’t afford to fall behind on security training..

Employees must be armed with the knowledge and skills to protect themselves and their organizations. Traditional, outdated training does little to prepare workers for the deluge of cyber attacks they face, or the risks they create for themselves. There are ways to make a change in the workplace.

Instead of training employees as a passive observer, make training interactive and teach actionable, real world skills.

Recognize that hacks happen

Instead of instilling a mind-set that an incident must never happen, give employees the confidence to speak up, even if they make a mistake.

Instead of focusing solely on security, focus on learning, too. Make training brief, fun and sticky so that it is always top-of-mind when needed.

Instead of focusing on a single type of risk, prepare employees for the range of security threats they’ll face, whether from an external cyber attack or from their own use of technology or access to data.

Hacks can happen even if the staff practices security procedures. Look at the victims of the Twitter Counter breach. No actual Twitter accounts were hacked, but a third-party application was, and the hackers left unnerving tweets on organizations’ accounts. Employees should be prepared for events like this. Practicing real-world scenarios can help prepare for the worst-case events. Training needs to keep up with the technology employees are using and the risks they face.

It’s time to stop using outdated training techniques and for organizations to invest in its employees and assets by providing security training that will make a difference and change the behavior of its staff. They can’t afford not to.

About the essayist: Marie White, CEO of Security Mentor

More stories related to employee security training:
When it comes to security, don’t give employee education short shrift
More organizations find security awareness training is becoming a vital security tool
Self-training programs effectively boost cybersecurity

This article originally appeared on

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone