Integrating digital and in-person training: a cost-effective approach to foster a security-first culture

When the World Economic Forum stated in 2021 Global Risks Report that 95% of cybersecurity issues can be traced to human error, you’d expect cyber security training to be the top of any organisation’s strategic priorities.  

Even the widely-known Waikato District Health Board (DHB) cyber attack that year was believed to have been caused by a person opening an email attachment. This incident highlighted the critical importance of robust cyber security training and awareness programs to prevent such breaches. And yet we see many organisations continuing to take an inconsistent approach to cyber security training for their staff. 

The old model of the occasional in-person training sessions conducted by a cyber security expert is no longer enough. The cyber threat landscape is constantly evolving. If staff don’t receive ongoing, consistent training they can lack the vigilance or preparedness to handle the increasing sophistication of cyber attacks. 

Sporadic or infrequent training sessions can lead to gaps in knowledge and understanding. Employees may forget important information or fail to stay updated with the latest threats and practices. Without regular reinforcement, the lessons learned in training sessions can quickly fade. An investigation into the effectiveness of cyber security awareness over time found that staff had significantly improved performance of correctly identifying phishing and legitimate emails up to four months after the programme but it worsened after six months. 

Infrequent training can also result in lower engagement levels. Employees may not take the training seriously if it is perceived as a one-off event rather than an ongoing commitment. This inconsistency can weaken the overall security posture of the organisation. 

So how can we close the cyber security awareness gap? 

Continuous, year-round training keeps cyber security top of mind and encourages active participation. It ensures that security practices are consistently reinforced, helping to embed them into the organisational culture. Regular training ensures that employees are up-to-date with the latest threats and the best practices to counter them. 

Consulting firm Accenture recommends 11 cyber security training sessions to help embed learnings and create a strong cyber security culture among employees. However, with costs ranging from $1000 to $5000 per session, many organisations do not have the budget to maintain this level of training for their staff. 

By combining in-person and computer-based training, organisations can not only help reduce training costs but can also help to embed a security-first culture among staff. 

In-person training allows for interactive sessions where employees can ask questions, participate in discussions, and engage in hands-on activities. It is particularly effective for complex topics that require detailed explanations and it fosters a sense of community and shared responsibility among employees. 

Computer-based training offers flexibility and scalability. Employees can complete training modules at their own pace and revisit them as needed. Training modules can be easily updated to reflect the latest threats and security practices, ensuring that the content remains relevant and current. In the same way, in person training can be tailored to reflect shortcomings identified by computer-based training report so that upskilling is focussed on the security elements that are the most pressing. 

Cyber security specialists can partner with computer-based cyber security training providers to offer their clients year-round, continuous training for staff that delivers great value and results.   

Conclusion 

Security awareness is not a one-time event. It requires a year-round approach to cyber security training to build a resilient and security-conscious organisation. By integrating both in-person and computer-based training, organisations can ensure that their employees are well-equipped to handle the ever-evolving landscape of cyber threats. This continuous training regimen not only enhances the security posture of the organisation but also fosters a culture where security is a shared responsibility. When employees see that cyber security is a priority throughout the year, they are more likely to adopt a security-first mindset. This cultural shift is crucial for the long-term security posture of the organisation. Investing in continuous training is an investment in the long-term security and success of the organisation. 

Supporting your organisation with training

Secure23 offers year-round training for all sizes of organisations, combining in person and computer based training. Get in touch to discuss your cyber security training needs.