Editorial

Remote working: Are you getting employee cyber training right?

Dr Lee Hadlington, senior lecturer in cyberpsychology at Nottingham Trent University, explains how employers can limit the cybersecurity risks associated with remote working with the right approach to cyber education and training

Posted 17 December 2020 by Christine Horton


There has been a significant rise in cyberattacks in the UK over the last 12 months, with more than nine out of 10 cybersecurity professionals reporting that attack volumes have increased due to more employees working from home during COVID-19 stay at home orders.

The rush to establish remote workforces has led to organisations inadvertently exposing gaps in their cyber defences. Importantly, too, changing working patterns and employee behaviour make it more difficult to spot potential attacks.

Dr Lee Hadlington, senior lecturer in cyberpsychology at Nottingham Trent University provides some insight into how employers can mitigate the threat though cyber education and training for employees.

Explore what your employees know

“All too often, employers make massive assumptions about what their employees should know or should be doing in the context of information security,” said Dr Hadlington.

“From research, we have noted that this is a considerable overestimation, and often the knowledge employees have is incomplete, or prone to exaggeration. If the foundation upon which employees are making their decision about information security awareness is flawed, then their respective behaviours will be too.”

Dr Hadlington says exploring the knowledge of your employees doesn’t have to be a massive undertaking, and it doesn’t have to be boring and disengaging.

“Approaching this by using monthly quizzes and focus group sessions can provide some quick feedback, as well as making employees ensure their views or opinion matter.”

Ensure that training and education is relevant and engaging

Also, Dr Hadlington says organisations can also fall down when it comes to the training they often provide.

“A usual conversation I have with employees around information security awareness is about their training and education. The stock response to the question ‘Do you get any training?’ is usually ‘Yeah, it’s an online course, I didn’t really pay much attention to it, and you get loads of attempts to pass if you get stuff wrong!’.

“Many companies attempt to tick the information security awareness box with off the shelf, one-size fits all training packages. They are generally (and I know, I have watched most of them) boring, dull, unengaging, filled with irrelevant information about rules, policies, and acronyms. Most employees gameplay these sessions, retain information just to pass, and actually remember very little about what they have learned. Creating a training programme that is both engaging, informative, and achieves its key aims doesn’t mean you have to employee celebrities, or do snazzy, over the top events. The key here is to keep it simple, focus on the ‘if we know what our employees don’t know, lets target this and use this in training’.

“Again, focus group sessions are an effective mechanism of approach this, and this can be done in a cascade process where employees train other employees. Similarly, engaging guest speakers has also been shown to be an effective way of getting employees to think about their actions, and can inform debate and discussion across all groups.

“Regular feedback about how their behaviours is helping the organisation (for example, we stopped X number of attacks this month) is also important – it helps the employee know they are doing something.”