cybersecurity basics . Some companies use scaremongering to motivate employees to learn . For instance , they warn staff they will lose bonuses or will even be fired if they cause a data breach ( in fact , 26 % enterprises and 24 % SMBs did so ). Unfortunately , fear does not work as a long-term solution to effectively motivate people . It ’ s like throwing a person who can ’ t swim into the water – he or she may reach shore after struggling but it is highly unlikely they will then love swimming . Instead , a company can position a security awareness course as an opportunity to learn useful information that can be applied during employees ’ spare time as well . For example , a person who has been told how to identify phishing attempts at work will be less likely to enter credit card details when they receive an email from fraudsters in their personal mailbox .
Course duration and required cybersecurity skills will be regulated
Today , many governments and industry requirements make it necessary for organisations to have security awareness training in place . The Health Insurance Portability and Accountability Act ( HIPAA ) makes it an obligation for businesses to ‘ implement a security awareness and training programme for all members of its workforce ( including management )’. And according to GDPR , a data protection officer is responsible for ‘ awareness-raising and training of staff involved in processing operations ’. Nonetheless , most of the regulators today don ’ t enforce a specific course format or duration .
In practice , businesses do what they can to fulfil these requirements and often implement any training available to say they are compliant , but with little substance . The statistics above showed that this approach doesn ’ t bring the required results . That ’ s why we think that the regulations in industries , where cyberattacks are more critical for business , will become more detailed and stricter . For example , there may be requirements on the minimum time spent on security training or formal competence matrixes for non-security specialists . We expect that in this case , companies will have to reconsider their approach to how training is carried out . And for employees , the perception will change www . intelligentciso . com | Issue 31
75