Often, the cheapest and most effective weapon an MSP can deploy against hackers and malware isn’t new software or a cure-all patch, it is knowledge. And while knowledge is free, the time and resources put into it are not. Still, on a dollar-for-dollar basis, user training is highly effective. In fact, statistics show that security-related risks are reduced by 70 percent when businesses invest in cybersecurity training and awareness.
But information that isn’t effectively shared with others is like shouting into a canyon – no one will hear it. So, how can MSPs make user cybersecurity training more effective? Here are five tips:
Keep it simple
As an MSP owner, you live, eat, breathe, and sleep IT. But most people aren’t you, and those who can use training the most know the least. “So, MSP owners brimming with knowledge about systems and security often overwhelm other people with their knowledge,” says Carlton Barnes, a cybersecurity instructor in Nevada.
“Most people don’t know about kernels, shells, BIOS or Linux,” warns Barnes. “All these terms that are part of your daily vocabulary are like a foreign language to the average person, so shelve all that and stick with the basics. If you want to have more advanced training for those employees with a bit more knowledge, then feel free.”
An effective cybersecurity presentation will explain the topic so that an elementary school student can understand it. “Because most people, obviously there are exceptions, have a very elementary understanding of cybersecurity,’ Barnes shares.
Make it entertaining and/or engaging
There’s a lot of competition for attention in today’s world and people don’t want to be bored. Instead of talking about the firewall and lateral movement in the network, make cybersecurity fun using emojis. Or you could talk about how someone in human resources planning their baby shower accidentally clicked a phishing email instead of ordering party hats.
“Cybersecurity is a very serious topic. You want employees to take it seriously, but that doesn’t mean you can’t have fun while delivering the information,” Barnes says.
Games, charts, props, and anything to make the presentations visually appealing and engaging are a good start. “I saw one cybersecurity presentation where the two experts came in, one dressed as a fox the other dressed in a chicken costume to illustrate the fox in henhouse consequences of a hacker getting in,” Barnes recalls. “It seemed odd to see these characters in front of a room full of accountants and budget analysts, but everyone was laughing and engaged. I think they came away from that presentation with a lasting impression.”
People are busy. This is important, but so are budget meetings, Zoom calls, and after-school soccer schedules. You can do a lot in a half hour, but do more than that, and people will get resentful. They’ll tune you out; they’ll turn their attention elsewhere or start scrolling through their Facebook feed.
“Be fun, fast, and effective in your presentation, or you’ll quickly lose your audience,” Barnes advises.
Make it actionable
“People want to feel like they are doing something to contribute to the organization’s cybersecurity,” Barnes says. “People, in general, like the direction at work.”
Therefore, it is important to give people actionable items in the form of a “cybersecurity checklist.” A few quick tasks that they can do, for example, include:
- Change passwords once a month
- Don’t use social media at work
- Don’t do work on personal devices
“Those are just some basics, but everyone can perform those tasks. Each step someone takes may not seem like a big deal by itself, but it is a big deal if everyone does them. Cybersecurity is like a giant rowboat, and it only gets somewhere when everyone picks up an oar,” Barnes continues.
Create stakeholders out of workers
Finally, it is important to communicate how ransomware, malware, and the like can impact people on a personal level.
“People are inherently self-interested. Suppose you talk about how the company will lose $5 million. That might not resonate when they struggle to pay their rent, and the company CEO has three homes. Instead, talk about how the company losing money impacts bonuses, vacation time, and benefits,” Barnes says, adding that instilling corporate pride is vital so that everyone wants to protect the organization. “Effective cybersecurity training should make everyone into a mother hen when it comes to being protective,” he concludes.
Photo: fizkes / Shutterstock