How to Best Train Your Company for Cyber Risks


Employees have indisputably become the greatest vulnerability to a company. Despite more individuals becoming savvy to the online risks that could leave them and their company vulnerable, the number of hacks from the likes of phishing scams, malware vulnerabilities and hacking continue to climb. Thirty percent of employees still are unaware of what the terms ‘phishing’ and ‘malware scams’ actually mean. Considering the growing number of attacks, risk management need to step up their internal training.

Implementing risk management training begins at the interview phase. Establishing a prospective employee’s knowledge of cyber vulnerabilities should not be an overlooked consideration. After all, one individual’s perception of risk could differ significantly to someone else’s perception.

As risk management maturity sits at base level for most companies, vulnerabilities created by employees are understandable. More thorough risk management training is the answer. This training needs to thoroughly outline a company’s stance on risk-based decision-making. Stances on emails, personal device policies, passwords, company data and social media should be among topics covered.

Training needs to move beyond a thirty-minute base-line presentation. No matter how time poor employees are, a thirty-minute annual lecture is not going to have the desired effect. This style fails to instil cyber awareness, nor does a handout or one-time training.  Risk training should occur often and separated with regular email updates. This continuous training provides the chance to update employees with policy change whilst alerting to the latest phishing trends. In between this training email should be used to alert to current scams and as a reminder to remain vigilant. The fast-paced cyber environment requires this continual attention and re-training. No employees should be exempt from this training – senior management, for example, can benefit just as strongly from continual training as a graduate hire.

“Training is different than awareness” says Perry Carpenter, chief evangelist and strategy officer for KnowBe4, “training is actually building muscle, building memory, and building a habit around something.” To wholeheartedly implement risk management into the business, this training should not be overlooked.

Setting the tone from the top is another priority when developing risk culture. Board members, executives and senior management need a uniformed, consistent approach as they set the tone for risk cultural development.

The risk of phishers, hacktivists and cybercriminals is only growing in occurrence and severity. The outline training should be base-line practices. Many employees are simply failing to apply the risk management practices that most companies have in place. From not clicking dodgy email links to personal device usage, risk management must remain vigilant in order to combat cyber crime.

Back to article list