When we talk about training, we are talking about people, and I often hear it said that, in cybersecurity, people are the weakest link in the chain.
People are, in fact, the company’s first firewall. In this article, we look at the importance of the training needed to make every employee a valuable asset for corporate cybersecurity.
It is important to recognise that every company can benefit from implementing effective tools to improve its cyber resilience. Investing in continuous training and the sharing of company policies helps to keep employees alert, thereby helping to prevent human error and ensure a safer and more secure working environment.
This statement has always underpinned a concept that views cybersecurity as a process to which many factors contribute, such as corporate systems and the solutions used to defend them, the rules and standards the company adopts and communicates to its employees, and, of course, the people who, through their training, represent one of the most important bulwarks of security itself.
Training, which we shall refer to as Cybersecurity Awareness, for corporate users represents the means by which we update the company’s first firewall; that is, it represents the knowledge and awareness of the cyber risks to which the organisation is exposed and which can make the difference between knowing how to tackle and manage a cyber attack – such as phishing or ransomware – and passively suffering it.
People are constantly subject to many cyberattacks, such as phishing, social engineering and malware infections, which, if enabled by unwitting or distracted behaviour, can increase their pervasive impact.
Cybersecurity awareness serves to ensure that attacks are limited and have little impact because they are supported by: Essentially, whilst it is true that IT systems and advanced security technologies are fundamental to protecting the company, people are the first and fundamental layer of defence, which can significantly reduce the risk of attacks through informed and prudent behaviour.
The European Union Agency for Cybersecurity reports on cybersecurity across Europe place strong emphasis on security awareness, reinforcing the message that organisations must develop and maintain robust cybersecurity awareness training.
The report highlights how phishing attacks and other forms of social engineering are among the most widespread threats, exploiting a lack of awareness among employees and users, and how preparation and continuous training are therefore essential to prevent such threats.
The companies are investing increasingly in awareness programmes, but there is still a significant lack of investment in specific and ongoing training for employees. Despite cybersecurity being recognised as a priority by 71% of EU companies, 74% have not provided adequate training or awareness initiatives to their employees, highlighting a critical gap between strategy and implementation.
In fact, despite awareness-raising efforts, many organisations have not yet defined a clear and measurable strategy to improve cybersecurity awareness. The creation of metrics and performance analysis could lead to more tangible improvements.
I would add that technologies such as artificial intelligence and machine learning algorithms can support security training as they enable the identification of risky behaviour by suggesting personalised training pathways.
We believe that to achieve effective cybersecurity awareness, it is necessary to take certain fundamental steps, ranging from involving the organisation’s structures, to defining a proper security policy, and including the adoption of innovative training tools capable of implementing continuous learning assessment aimed at ensuring the achievement of expected objectives.
First and foremost, it is essential to understand the current state of cybersecurity competence within the organisation by identifying the areas requiring improvement for each individual employee. During this assessment phase, and in every subsequent stage of training, it is vital to track both critical aspects and progress through appropriate metrics used to determine the effectiveness of the training programme.
In any proper training programme, it is essential to identify the key factors driving individual employees’ engagement and willingness to develop:
Precisely regarding these metrics, when analysing market solutions that focus on security training, it is clear that there is no single, one-size-fits-all formula to follow: the cybersecurity awareness programme must obviously be designed, right from the planning stage of the training programme, to be ‘tailored’ to the organisation and appropriately calibrated to leverage the key resources it is aimed at: people.
People who must be engaged, for example, by using gamification techniques and making use of multimedia material capable of capturing attention. Such engagement, of course, cannot be separated from a careful analysis of the cognitive processes and emotional factors that play an essential role in maintaining focus on the programme.
Only through a carefully designed cybersecurity awareness programme is it therefore possible to ensure that a culture of cybersecurity takes root within the virtual perimeter of organisations, thereby supporting the security of corporate data – which, above all, represents the element to be protected and the most attractive target for a criminal hacker.
This take-up must be all the more rapid as the adoption of corporate policies involving the use of artificial intelligence increases, with the practice of remote working and the use of mobile devices becoming established, and with the growing use of IoT and, more generally, digital technologies within the context of Industry 5.0.
By Luca Bonora - Cybersecurity Evangelist, CYBEROO