Employees in your organization are required to complete some form of cybersecurity training once a year, which can include a short online course, training videos, and a test to wrap it all up.
Whether this training model is adequate in today’s cyber climate is another question, but what if employees don’t even take this rudimentary training seriously?
Cyber attacks are increasing in frequency and sophistication, and ransomware is on the rise. According to a recent report from SonicWall, ransomware attacks increased by 151% in the first half of 2021.
There are several things you can do from a leadership, technical and human resource perspective.
Enlist executives and / or managers to ensure compliance
The best way to get buy-in from the whole organization is to enlist the help of the top. Depending on the size of the business, getting every end user to comply with your cybersecurity policies and complete the training you have chosen for the organization may be too much of a demand from IT.
Instead, consider leading business leaders who can help you get your message out and demand that their employees take cybersecurity training and awareness. It should start with business executives who are aware of the costs associated with recovering from a cyber attack, but IT administrators should also consider enlisting the help of the human resources department who can help make this a priority. just like harassment or OSHA compliance.
Read more : Cyber security training for end users needs to evolve
Report non-compliance to management
Once you accept leaders’ buy-in for the importance of cybersecurity awareness, they will be more willing to support you on your preferred discipline method for not completing the training. Or, they will impose their own punishment.
You can send regular compliance reports to executives or managers that specify who has taken the training and who has not. Instead of the rarely seen IT administrator, the direct supervisor of employees is the one threatening disciplinary action.
Restrict access until the end of the training
Unfortunately, there can still be employees who ignore the threats lurking in cyberspace or who don’t feel like cybersecurity applies to them. Of course, they are wrong.
If employees are still not complying after multiple email warnings to complete training, turn off their access to email or other applications until they complete the training. As long as the user has not completed the training and is aware of new computer security threats, his use of company networks is a handicap.
This is a drastic step, and you will need the support of management and HR to implement it.