The hidden costs of cheap cybersecurity training

cybersecurity training

OK… let’s do a thought experiment. If I say “nutritious food” what comes to mind?

Salads, lean meat, fish, fruit, vegetables? What about chips? Chips are fine every now and then, but would you eat them every night and expect to reach your health goals? Probably not!

If you want a healthy body, you have to put healthy food into it, cut back on the cheap processed stuff and eat better quality wholesome food. And that isn’t always cheap.

But we know that ‘what you put in, you get out’ so we do it. Especially now, at the start of the year, when we’re all trying to be good! It’s no different for your brain: put better quality information in, get more informed behaviour out.

If you’re reading this, you’re interested in the most up-to-date teaching and research into information security. You want your organisation to do more than just survive – you want it to thrive. And the people in your business need to thrive for that to happen. Part of that means they need the right training to achieve your organisation’s desired outcomes.

Effective cybersecurity training doesn’t come cheap

The first question to ask is what is “effective”? For something to be effective, it’s got to be measurable against a clear objective.

If your objective is to solely provide evidence that you’ve given everyone training, then cheap as chips may make sense. But if your objective is to assess knowledge, or competency and drive change in behaviour, then the investment needs to increase.

Cheap cybersecurity training has several hidden costs:

  • False sense of economy
  • False reassurance
  • False sense of effectiveness

As the adage goes: Buy cheap, buy twice. Cheap training gives you a false sense of economy.

False sense of economy

You think you’re saving money, but you actually may not be getting what you really want, and you may have to pay for it twice when you realise the first round hasn’t achieved what it was meant to. Plus, you double up on time as you have to re-do it.

False sense of reassurance

More importantly than the financial cost, though, is the false sense of reassurance you get after your staff have completed some training – you’ll be lulled into a false sense of security. You assume your employees now know what to look out for and how to react to certain situations. But if the training was poor, they still won’t know what to do.

Giving staff poor training is worse than giving them none at all as everyone in your organisation will assume that they know what they need to do to make themselves safe.

False sense of effectiveness

At best cheap training will allow you to sit back assuming everything is OK. At worst it gives you a false sense of effectiveness. You may wrongly assume you’ve achieved your objectives, which could set you up for an attack that could have been prevented – and put you in a worse position to defend your actions should a regulator have questions following a data breach.

You may not realise your training was inadequate until there’s some sort of breach, so it’s better to get it right from the start.

Start with your aims in mind

Cheap cybersecurity training is fine if it achieves your objectives. So, you need to know what they are:

  • Are you trying to raise awareness?
  • Do you want a sustainable level of awareness?
  • Do you want staff to remember what they’ve learned a week later?
  • Are you trying to asses competency?
  • Are you trying to change behaviours?
  • Are you doing the training because GDPR or PCI says you need to? In other words, it’s a tick-box exercise for you.
  • Is it a contractual requirement?

Or maybe you know you need to do it simply because of good old common sense but you don’t know what you need!

It’s worth making a really important distinction here:

Is the objective to deliver training

or

Is the objective to raise awareness and drive behavioural change?

 

Delivering training is easy. Driving behavioural change needn’t be hard but it’s unlikely to be achieved through poor quality training.

Cheap training is often delivered using a highly automated process, like email or computer-based training (CBT) for example, yet retention rates for this sort of training are very low. Go back to your objectives: why are you doing the training in the first place?

We’ve developed a thorough system based on understanding how people learn best, from when people are most receptive to information (2 o’clock on the afternoon is not good for many of us for obvious reasons), to how much information trainees retain depending on how it’s delivered.

Here’s the pyramid of learning (based on Edgar Dales’ work and the ‘Cone of Experience’ he developed in the 1940s):

cone of learningIt shows how much information people remember depending on how it’s presented to them.

 

Thorough training costs more but there’s a reason for that: more thought and work goes into it.

Our training is aimed at strengthening people’s existing skills and knowledge while introducing them to new insights and skills. We empower staff to enable them to be your collective defence against attack. Hackers are using the latest?science, constantly innovating and trying new methods, and organisations need to catch up to be able to defend themselves effectively.

We know that one size definitely doesn’t fit all. Training has to be tailored to fit an organisation’s current level of knowledge and competency. Our training is designed to change behaviours, not just give people extra knowledge. Our clients know we’re committed to research and applying our findings to our training, it’s what keeps us at the cutting edge of the industry.

We provide tailored in-house training and Re-thinking the Human Factor workshops all over the world. There’s more information about our training here or let’s hop on a call and talk to us about your what you need (and we’ll convince you that cheap training is not the way to go!).

Share