You need to conduct a cybersecurity training session… Can you hear the groans already? Here are a few ideas to make your cybersecurity session one of the most talked about lunch and learns ever.
Queue this up: We are in the “trust” business
Ask an attorney what business she is in, and she might say “legal counsel” or “I help clients protect their business" or "I help with legal contracts.” Dig even deeper and she’ll tell you she is in the business of “trust” as much as giving legal advice.
Set the tone for the lunch and learn by queuing up trust as the focus of cybersecurity. Just as clients trust you to protect their assets from diminishing in value, cybersecurity is about protecting your clients’ assets from theft.
If you (the trainer, compliance officer or business owner) approach cybersecurity training as in “we have to do this because it’s a requirement,” good luck getting employees to treat it seriously – no wonder they think it’s a hassle. If instead, you make cybersecurity about trust, “Our clients’ trust is our most important asset. Here’s how we think we can provide that security and protection,” you’ll get a much better outcome.
Action: Encourage your team to look at cybersecurity as a business risk instead of a compliance hassle or government requirement.
Make it personal
Deliver cybersecurity advice in the context of your employees’ personal computers. Once employees begin thinking about themselves and their own protections, engagement goes way up.
When you explain what they should be paying attention to at home, you’ll get lots of great questions, like “is this a risk? or “I did X – should I have not done that?” For example, they shouldn’t permit their kids to plug a flash drive into their laptop because it could be contaminated with malware. Knowing it puts their home computer at risk, they’ll be better able to relate the danger to their work computer too, and be more diligent about safe document sharing practices.
Another example: They should check to ensure their home wireless router is encrypted so no one can access the data transmitted within their home network.
Action: Make the idea of cybersecurity risk personal and relatable to employees.
Live from your firm, it’s cybersecurity training!
Craig Watanabe, Senior Compliance Consultant at Core Compliance & Legal Services, Inc., recommends that cybersecurity training always be provided live — not a recorded session or video employees can watch (or skim) on their own.
Providing live training means you may need to schedule more than one time slot to accommodate everyone’s schedule. Not only will you get better participation, you’ll also get a better idea of their level of understanding. A cocked head and funny face can either mean, “I don’t get what you’re saying,” or “Oops, I’ve done that in the past.”
Action: Plan live compliance training when people are in the office.
Create case studies
A great way to provide new employee training is to make case studies (without naming names) of any known cybersecurity incidents. One of the best ways to engage employees about cybersecurity is to learn from real life scenarios, particularly errors or close calls.
A case study could be an email someone received where they were tempted to open a completely legitimate-looking attachment. Or an employee who went to make a trade, and verified it personally before placing it, preventing fraud as a result.
To build a case study, ask employees to send you screenshots of emails or email attachments they’ve received or have been tempted to open. Case studies don’t have to be mistakes someone made. It could be a mistake someone prevented by being security-conscious. If you choose to illustrate a case with someone’s mistake, check with that employee first. Nobody likes being put on the spot.
Work your case study from start to finish — When an email request from a client asked for an updated copy of their contract, what did the associate do?
Action: Create case studies from real-life scenarios.
WWYD (What Would You Do?)
Follow up on a case study with some role playing. Break people into groups and ask them to read their assigned scenario and determine what they would do in that situation. Then, have a spokesperson from each group summarize their findings to entire group.
For example, set up a real-world scenario where an email came in from a client asking for the transfer of a confidential document by close of business that day for a legitimate reason. You know they need to have it signed in order to move forward with their case, so it's time sensitive. Their email contains a variety of personal and case related information. What would you do in that situation?
Action: Break into groups and consider potential scenarios and their solutions.
Reward Key Takeaways
In a final wrap up, ask for questions and key takeaways they learned from the session. Some firms toss out mini treats — movie tickets, candy, Starbucks cards, etc. — for participation and correct answers.
Send Drip Follow Ups
Cybersecurity is such a moving target, and it’s easy to forget a key tip. Compliance trainers recommend sending out one cybersecurity tip each month between training sessions so cybersecurity stays top of mind.
In addition to reminders, you could also offer a prize drawing. Simply ask a cybersecurity question and then offer a prize drawn from all of the correct responses you receive. This allows you to celebrate great answers and shows what type of education is still needed based on any incorrect responses you receive.
Display the question and correct responses in a staff meeting, on your intranet or in other firmwide communication. The idea is that you want to ensure cybersecurity to stay top of mind without being boring or so frequent it drowns out the message.
Action: Keep employees engaged with interesting follow ups so cybersecurity stays top of mind.
To make your lunch and learn fun and engaging, set it up as a workshop style session instead of a presentation only. Use personal and real life examples from your firm, along with breakout sessions to discuss actual scenarios in small groups. Celebrate with prizes when attendees share what they learned. Finally, provide rewards when people respond correctly to monthly cybersecurity questions.
How do you know you’ve been successful? Besides reducing the risk of cybersecurity incidents, you’ll hear people spontaneously talking about cybersecurity (outside of training)!