One US report found annual financial losses dropped from $683,000 to $162,000 when new recruits were security trained while, closer to home, 88 percent of cyber attacks in the UK over the past two years have been attributed to human error according to the Information Commissioner’s Office (ICO).

Consequently, security training should be seen as every bit as important as implementing technical security controls.

So where is security training going wrong? There’s often a tendency to use compliance or policies as the foundation for training but while this ticks the audit box it can see training become outdated or uninspiring.

Others use a recent attack such as WannaCry or the BA breach to illustrate the repercussions of an attack but is this really relevant to your employees? Even threats such as CEO phishing are only of real relevance to those in the Finance department. What you need to focus on is the common denominator: user experience.

Getting personal

To speak to all employees in a way that gets them onboard you need to get personal.

Employees don’t see security as their problem – it’s yours – but tell them how their social media profile could be hacked, how oversharing personal data or how granting too many permissions over their mobile could get them into hot water and they’ll sit up and listen.

By focusing on what resonates with employees and showing how their digital selves could be compromised they’ll be far more willing to listen to you and buy-in to the controls you advocate.

Before you even start, however, you need to think about engagement. Involve the marketing team so that you can publicise and build interest in the event and think about timings – lunchtime briefings with food work well.

Consider additional opportunities to provide guidance such as a drop-in centre for staff with IT or software problems for issues (whether at work or at home). Avoid blanket bans and a blame culture and provide solutions to mitigate the risk of shadow IT.

It’s all in the delivery

When it comes to delivery, focus on making it entertaining. You want your audience to enjoy themselves and not switch off. Try to look for examples that have an amusing element, and don’t be afraid to satirise yourself. Be anecdotal and use live demos to illustrate your point.

It’s relatively simple to set up attachment based phishing attacks, clone real sites and create fake Wi-Fi access points, for instance. Show how Wi-Fi and Bluetooth can be abused and harnessed.

You could even use some audience participation and check Have I Been Pwned to see if their email addresses have been compromised in data breaches.

The training programme itself should be tailored to the business but some stalwarts to include are:

·         Current/recent attacks:

Illustrate your point with attacks the business has blocked or sustained, taking care to anonymise any personally identifiable information

·         Mobile phone settings:

Encourage simple changes like a move up from a six digit to an eight digit mobile PIN. Provide guidance for a range of operating systems to make information relevant to everyone.

Think about personal mobile devices and offer suggestions on turning off features accessible from the locked screen, using adblockers, antivirus, installing updates and checking app permission requests. Tie in the work mobile policy here.

·         Social media:

Highlight the danger of over-sharing details such as location or date of birth and how photos can provide a wealth of information such as physical address.

Lock down profiles to contacts only and limit profile visibility on search engines. Be sceptical of friend requests. Use blocking tools. Provide guidance on how to block and mute and report offenders. Tie in the work social media policy here.

·         Home PC/Mac controls:

Suggest setting different user profiles for shared computers and implement parental controls. Highlight the importance of traditional security defence mechanisms such as anti-virus and firewalls etc. (Mac users often neglect to install AV.)

·         Passwords:

Show how to set effective passphrases. Explain the need for complexity. Recommend password managers. Consider advocating 2FA once you have educated on the need for good passwords and a password manager. The NCSC provides excellent guidance on passwords.

·         Other policies:

The need for a clear desk. The importance of physical security ie door entry controls. When and how to use removable media safely (consider offering a USB amnesty).

Finally, consider how you will you keep the message flowing. Provide additional resources, ie flyers, posters and CBT style training as well as regular comms and monitor the channels most used (ie email, instant message or the intranet).

These should then be exploited and used to communicate with employees regularly going forward to ensure the training not only influences but changes behaviour.

Tony Gee is associate partner at Pen Test Partners.