Summary

  • Remote work demands a change to how organizations educate employees on cybersecurity.
  • Organizations must adapt their training programs so that their content is applicable and relevant to today’s workplace, while also ensuring that it is delivered in a way that is engaging. 
  • Live learning is the best way forward. This approach involves educating your employees in real-time through channels like Slack, Google Workspace and Microsoft Teams. 
  • When a user performs a risky action, live learning tools stop the employee in their tracks and alert them as to why their behavior was improper.

If you’re like most organizations with knowledge workers, you probably allow your employees to work remotely at least some of the time. This trend is on the rise and, by 2028, it’s expected that 75% of organizations across the world will enable hybrid and remote work.

While the work-from-anywhere approach has its perks, it also raises questions about effective employee cybersecurity training. 

The Training evolution

Even before the shift to remote and hybrid work, employee training was undergoing a revolution. The classroom-based away days of the past were fast becoming obsolete, replaced by e-Learning modules and live or on-demand webinars. 

Now, training is yet again evolving to become fit for the hybrid world. 

Today, employees spend the majority of their time communicating and collaborating with their co-workers through applications like Slack, Microsoft Teams and Google Workspace–whether they’re in the office or not. 

This new mode of working calls for new forms of training. Organizations must adapt their training programs so that their content is applicable and relevant to today’s workplace, while also ensuring that it is delivered in a way that is engaging. 

With that in mind, here are seven tips to help you develop a successful cybersecurity training program for remote and hybrid employees. 

Learn what doesn’t work 

Training for the sake of training will never result in long lasting, meaningful change. It can be all too tempting to treat security training as a tick-box exercise, but this is a data breach waiting to happen. Research shows that effective training reduces security-related risks by 70%. Clearly, there’s a lot that organizations stand to gain by getting things right.   

To understand what ‘right’ looks like, it can be helpful to gain a deeper understanding of what doesn’t work. So, to start with, here are things to steer clear of as you design your program. As you’ll see in the image below, generic cybersecurity trainings don’t make a difference—60% of employees fail!

So, don’t design a training program that is… 

  • Too lengthy/detailed: A McKinsey report found that just a quarter of employees felt that training programmes had a measurable improvement on performance, while another study found that only 12% of employees apply new skills learned in training to their jobs.
  • Full of jargon: Employees aren’t cybersecurity experts. Many won’t know what a phishing scam is or understand why it’s important not to move data between their personal and company devices. Effective training needs to speak to employees on their level and be easy to understand.
  • Boring: As Gartner notes, “Many employees view security training as boring and hard to understand. Creative, fun or engaging are words rarely associated with security awareness training.” It’s no wonder that 69% of employees have received cybersecurity training from their employers, yet 61% fail basic security tests.
  • A one-off exercise: Did you know that employees only retain roughly 10% of what they learn during formal training? Then, 20% is learned through informal means like mentoring and reading. And the hugest chunk—70%—is learned from experience on the job. 
  • Old school: If you mandate your employees come into the office for training, they’ll undoubtedly drag their heels. It’s better to meet employees where they are by taking advantage of digital tools that facilitate remote learning. 
  • Make training a one-way street: Being talked at via a pre-recorded video, or having to read endless pages, doesn’t really encourage your employees to learn much. Training that’s dynamic, with quizzes and interactive elements, is much more effective. 

Graphs showing that most employees fail cybersecurity training
Generic cybersecurity trainings don’t make a difference—60% of employees fail!

Establish your goals 

Now you know what not to do, you can start thinking about what you would like to do: your strategy. Common goals that we help organizations achieve through security awareness training include: 

  • Achieve compliance with all regulations and standards we adhere to 
  • Reduce the risk of phishing attacks, data theft and insider threats
  • Create a training program that is easy to access, anywhere, anytime, on any device
  • Engage employees with our program with the long-term goal of building a privacy and security-aware culture 
  • Devise a measurement score to track and improve our program
  • Build in a feedback mechanism so our people can let us know what they think of the program 

Create your action plan 

Goals in mind, you can now move on to crafting your action plan. The first thing to do, here, is decide how you will deliver your training. For remote teams, the best option tends to fall into one of below categories: 

  1. Live learning: This approach involves educating your employees in real-time, while they are on the job through channels like Slack, Google Workspace and Microsoft Teams. As your employees perform their daily tasks, training tools like Polymer DLP will automatically monitor their behavior for potential security risks. 

When a user performs a risky move, Polymer DLP will stop the user in their tracks and alert them as to why their behavior was improper. In just a month, our learning system is proven to greatly reduce user error and data leakage. 

  1. Self-paced learning: With this method, employees can access training content independently at their own pace by logging-in to a dedicated portal with resources like videos, quizzes, eBooks and tutorials. While handy to have, the optional element of self-paced learning is often its downfall. While your people may be keen to learn about some topics, it’s generally rare for non-technical employees to actively want to learn about cybersecurity. 
  1. Hybrid learning: This form of training blends live and self-paced learning together, combining the two to offer a comprehensive library of tools to your people. While variety is great, taking on two approaches can be an expensive endeavor for smaller companies to rollout and manage. 

Narrow down your training tools 

Next, it’s time to choose the tools you will use to deliver your training. There’s no one-size-fits-all approach here. The choices you make will depend on your organization’s budget, sector and goals. 

Here are some of the tools to consider

  • Third-party training tools you install into collaboration apps
  • Learning management systems like Docebo 
  • YouTube videos
  • Online training platforms and libraries 

Chances are, you may already use an online training platform for helping your employees to develop soft skills or learn to use certain tools. While these tools work well for coaching and upskilling, they’re not your safest bet when it comes to cybersecurity. 

This is because of the pervasive, ever-changing nature of cyber attacks. It takes just one mistake while on the job for your employee to accidentally trigger a phishing scam or ransomware attack. While eLearning modules have their place, they don’t provide the real-time, contextual support of live learning—and this is what makes all the difference. 

Roll out, monitor and measure

With everything all set, you can now roll out your training program and, hopefully, watch as security incidents dramatically fall in your company. When you deploy your program, make sure to give your employees a heads up, so they know what to expect and how to use your tool. 

It’s wise to put in place a dialogue channel where employees can share feedback on your program. This will help you to overcome any difficulties, and make the training experience as useful and engaging as possible.

To prove the value of your program internally, we recommend implementing metrics that show the tangible difference the new tool has made. Polymer DLP, for example, comes with automatic activity monitoring and tracking, so you and your stakeholders can actually see how many risky actions the technology prevented in real-time. 

Don’t forget data loss prevention

Last but certainly not least, it’s vital to remember that training on its own will never be enough to counteract data theft and data leakage risks. While awareness can reduce your risks by, say, 70%, you still need technology to help you protect against the other 30%.

This is where cloud-based data loss prevention (DLP) comes in. In the age of remote and hybrid work, DLP is a must to secure data in cloud applications like Slack and Teams.

Lucky for you, Polymer DLP is a combination of security training and intelligent DLP, empowering you to educate your users and protect your data seamlessly. 
Want to learn more? Run your complimentary Google Drive or Slack scan now

Polymer is a no-code data loss prevention (DLP) platform that allows companies to monitor, auto-remediate, and apply behavioral techniques to reduce the risk of insider threats, sensitive data misuse, and leakage over third-party SaaS apps. Try Polymer for free.

SHARE

Get latest blogs delivered to your inbox