A lot of companies use cybersecurity training to prevent phishing attacks. A UC San Diego study says they should find a better way to protect their digital assets.
Perhaps because corporate security training is boring as hell?
I worked up a training class over the course of a year. Ridiculous to take so long, but I wanted to nail it. I figured there were three key things.
The things I talked about had to be relevant to the employees. I pared the stories down to items they could actually encounter. This is how an attack can affect you, how it can affect us. Here are things I’ve seen right here at our business.
Anything I wanted to talk about had to come with actionable prevention techniques. Here’s the problem, here’s what you can do about it. They had to feel empowered, not helpless.
The class had to be entertaining and interesting, start to finish, no fumble fucking around, no baffling them with jargon. I rehearsed that entire year until I could do it in my sleep. Plenty of humor threaded throughout the talk.
Nervous as hell when the day finally came. I have no problem speaking to a group, love it in fact. But talking cybersecurity to non-technical people is about as boring as it gets. Business owners bought everyone lunch and we met in the conference room.
Timed it to run for 40 minutes, left space at the end for questions. Talk about a resounding success! Everyone in the room was engaged and had questions, some even staying beyond the allotted hour. Fuck me, I actually got applause! (Yes, and everyone clapped. Really.)
Phishing tests went from 25% failure to 4% failure overnight. I left a USB drive on the floor by the printer. No one touched it for three days, and then only to place it on the table.
My next job was at a software dev. Security training involved cutsie animated characters and multiple choice questions. Yeah, a live puppet show would have been more effective.
Perhaps because corporate security training is boring as hell?
I worked up a training class over the course of a year. Ridiculous to take so long, but I wanted to nail it. I figured there were three key things.
The things I talked about had to be relevant to the employees. I pared the stories down to items they could actually encounter. This is how an attack can affect you, how it can affect us. Here are things I’ve seen right here at our business.
Anything I wanted to talk about had to come with actionable prevention techniques. Here’s the problem, here’s what you can do about it. They had to feel empowered, not helpless.
The class had to be entertaining and interesting, start to finish, no fumble fucking around, no baffling them with jargon. I rehearsed that entire year until I could do it in my sleep. Plenty of humor threaded throughout the talk.
Nervous as hell when the day finally came. I have no problem speaking to a group, love it in fact. But talking cybersecurity to non-technical people is about as boring as it gets. Business owners bought everyone lunch and we met in the conference room.
Timed it to run for 40 minutes, left space at the end for questions. Talk about a resounding success! Everyone in the room was engaged and had questions, some even staying beyond the allotted hour. Fuck me, I actually got applause! (Yes, and everyone clapped. Really.)
Phishing tests went from 25% failure to 4% failure overnight. I left a USB drive on the floor by the printer. No one touched it for three days, and then only to place it on the table.
My next job was at a software dev. Security training involved cutsie animated characters and multiple choice questions. Yeah, a live puppet show would have been more effective.
A good teacher builds their lessons around their pupils.