A lot of time and effort is spent trying to create the perfect information security or governance training package to educate staff. This time is often wasted.
Training all too often includes standard key messages, such as:
- Watch out for dodgy emails that might contain a virus
- Do not share sensitive or confidential information with 3rd parties
- Do not install software without checking with ICT
- Report incidents to managers
- And so on
Then staff are dragged away from their work to attend mandatory workshops or required to click on seemingly endless elearning modules.
Stop wasting everyone’s time!
We should regularly ask ourselves ‘what real impact is all this effort achieving and is there a better way?’
The answer, if we are really honest, is that all to often there is a very little impact for all the time spent.
The problem with a lot of training is that:
- it fails to take into account that the majority of incidents are not due to lack of knowledge, but due to human errors.
- it also fails to recognise that most staff already know these key messages and have heard them many times before, so tend to switch off and not pay that much attention.
However, the main benefit of this sort of approach is that it is easy to demonstrate to senior managers, Board or regulators that staff have received ‘appropriate’ training.
What is the solution?
As a starting point we should have a clear idea of who needs to know what, as different staff groups will need different levels or types of knowledge. Then we can create short tests to confirm if they already know enough, which will give us evidence for senior managers, Board or regulator. We can create more focused training materials to fill any gaps in knowledge.
This should free up time for everyone and we can focus on keeping staff aware of current issues / threats. For example, a friend produced a regular IG newsletter and posters aimed at raising awareness on hot topics. Another option is a discussion forum or the occational email alert.