getty
When it comes to cybersecurity, a company’s team members are its first line of defense. Unfortunately, they are often also its greatest weakness—especially when it comes to those who aren’t particularly tech-savvy.
Training non-tech employees in cybersecurity basics is essential, especially in the remote work era. But teaching non-experts about an esoteric and complex topic can be tricky; it behooves the leadership team to develop strategies to make cybersecurity lessons more engaging and memorable. Below, 20 members of Forbes Technology Council share tips for developing cybersecurity training that’s more likely to “stick” with all employees, no matter their starting level of tech expertise.
1. Leverage Surprise Simulations
Surprise “breach and attack simulations” conducted by third-party service providers have been our way of helping raise cybersecurity awareness. These, along with engaging videos, gamified assessments and revisions, help cybersecurity fundamentals “stick” with our employees. The outcomes of the different attack vectors (which target tech and non-tech teams) are announced in an all-hands meeting to help every employee feel that cybersecurity is their responsibility. - Dr. Venu Murthy, venumurthy.com
2. Avoid Prerecorded Content
I would avoid providing a CD with prerecorded content or a YouTube video with your company’s cybersecurity policy and guidelines. When employees transition to working remotely, conduct live training sessions as part of the onboarding process. Don’t just give an employee a laptop and a VPN; actively train and certify those who are working at home and remote sites for cyber compliance. - Leonard Lee, neXt Curve
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
3. Tie Training To Daily Activities
Traditional cybersecurity training that’s done in a couple of hours is not effective. One way to make cybersecurity “stick” with team members is to have “training” that happens during their daily activities. This can be done with modern technology. Example: Show a warning and instructive message when a user clicks a malicious URL link, or show a short video clip when a user logs into a phishing site. - Michael Shieh, Mammoth Cyber
4. Incorporate Gamification
Making cybersecurity training engaging for employees is crucial to ensure that the information is retained and applied effectively. Make such training more enjoyable and competitive by incorporating gamification elements. By turning the training into a game-like experience, you can tap into employees’ intrinsic motivation and encourage active participation. - Jane Medwin, LEAFIO AI
5. Stress The Personal Benefits Of Cybersecurity Knowledge
Cybersecurity awareness and best practices are, simply, an attribute of high-quality work, just as thorough analysis, quality of conclusion(s) and presentation (to name a few) are. “Connect” the value of being cybersecure with the employee’s personal universe. In other words, stress that what they learn and apply in the business environment is just as important and valuable in a personal setting. - Gus Malezis, Imprivata
6. Engage In Role-Playing Activities
Incorporate role-playing activities and team exercises into cybersecurity training. Assign different roles to employees—such as a hacker, an employee facing a security incident or an IT support specialist—and encourage them to act out different scenarios. This approach helps employees understand different perspectives and promotes collaborative problem-solving in a fun and engaging manner. - Deepak Tiwari, Sagenext Infotech LLC
7. Provide Context
Providing employees with the full context of why cybersecurity training is essential can help a lot of them take it more seriously. Understanding that the entire business—including their own jobs—could be destroyed or harmed by a compromise or breach is a significant motivating factor that can help team members not view training as a “chore.” Sharing true horror stories from other companies can help here as well. - Aaron Mendes, PrivacyHawk
8. Don’t Limit Training To A Few Times A Year
Instead of having employees go through security training on a quarterly basis, employ a strategy of consistent security training. We believe in constant testing and improvement—we find this keeps employees on their toes and keeps them vigilant. That stems from the security culture that we have built: Everyone understands protecting our business and customers is part of the job. - James Foster, ZeroFox
9. Tailor Training Programs
Often, cybersecurity basic training assumes all are equal. A training program should be tailored to improve an employee’s level of knowledge. For example, a non-tech employee could be a gamer who is knowledgeable about social profiling but is unfamiliar with third-party risk. Create pre-assessment tests to help you tailor cybersecurity training to the areas in which an employee shows knowledge gaps. - Christine Halvorsen, Protiviti
10. Make Training Accessible And Interactive
Engage non-tech employees in cybersecurity training through gamification, scenario-based exercises, simulated attacks, multimedia content, practical tips, ongoing reinforcement and role-specific training. Make it accessible and interactive for better knowledge retention in remote work settings. - Fidelis Chibueze, Fixtops Technology
11. Make It Fun (Even Playful)
Make it fun—for example, you could get memes going. When I worked at Twitter in 2012, we had a fun practice: If an employee left their computer unlocked at their desk, someone would send an email to everyone at the company from that employee’s account with the subject line, “I love flowers.” We called it “flowering.” - Chinmay Barve, Mixpanel
12. Build A ‘Cybersecurity Boot Camp’
Think about revamping your cybersecurity presentation into a “cybersecurity boot camp.” Replace daunting tech jargon with captivating challenges, morphing cybersecurity education into a contest. Teams of non-tech staff can gather “cyber fit points.” To solidify the learning, employ educational psychology techniques such as spaced repetition, ensuring skills are thoroughly and often refreshed. - Felipe Fernandes, Pi Tech
13. Try VR Simulations
Virtual reality simulations in which employees experience realistic cyberthreats, such as phishing attacks or data breaches, and make decisions in real time to defend against them can be effective. The interactive nature of VR allows for hands-on learning, promoting engagement, knowledge retention and the development of critical cybersecurity instincts. - Avani Desai, Schellman
14. Incorporate Real Cyberthreats
You can make cybersecurity training engaging by incorporating sessions with real cyberthreats. Employees dealing with pragmatic threats will retain the knowledge of actual attacks and will adapt to the training in a practical way. You can also employ interactive cybersecurity quizzes—the opportunity to earn points, rewards or incentives will bring out employees’ competitive edge. - Vinita Rathi, Systango
15. Create Role-Based Simulations
Role-based simulations enhance training effectiveness. Here are a couple of examples. HR managers can simulate handling requests for employee data from unknown sources. Marketing managers can engage in simulations to safeguard customer data. Relevant scenarios improve learning and retention. - Mani Padisetti, Digital Armour
16. Use The ‘Red Team’/’Blue Team’ Model
In certain cybersecurity audit companies, there are two teams, known as the “red” team and the “blue” team. To make the cybersecurity learning process more engaging, a gamified approach is employed. In this scenario, one part of the team actively searches for attack vectors and executes them, while the other utilizes the knowledge acquired from lectures or workshops to counter the attacks. - Igor Pertsiya, Hypra Fund
17. Don’t Just Stoke Fear; Provide Tools
Give your team members tools, not just fears. Many cybersecurity training programs just focus on “here are all the things you absolutely cannot do,” but most vulnerabilities come less from unawareness and more from folks trying to take shortcuts to meet deadlines. Instead, do the work on your end to make sure your team has what they need to do their work while maintaining security. - Mike Pappas, Modulate
18. Highlight Potential Damages And Consequences
Engage employees in cybersecurity training by leading with impact: Highlight potential damages and consequences. Add incentives, such as scoreboards and rewards, to affirm desired behavior. Measure and report security scores, and recognize “security culture champions” in all-hands meetings. Keep an eye on your industry peers—if incidents happen, create a relatable educational moment from them. - Christopher Daden, Criteria Corp
19. Use Storytelling And Visuals
Cybersecurity training needs to feel like an engaging journey. First, use storytelling and visuals to make the content relatable. Then, break training down into bite-sized modules and use gamification with interactive scenarios, assessments and simulations. Offer rewards and incentives for completing training or demonstrating good practices. Finally, provide ongoing resources and reminders for continuous engagement. - RJ Phillips, Zoop
20. Begin At Employee Onboarding And Refresh Regularly
To remain SOC 2 Type 2 compliant, we leverage software to train employees during their onboarding journey to make sure they know about major topics, including identity theft, email spoofing and other common areas. We do this check on a quarterly basis so that it really sticks. - Rushabh Sheth, Docsumo
