Most companies offer their employees recurrent training. From how to use Excel and create PowerPoint presentations to life skills like first aid, how to talk in front of other people and ways to improve at their job. Now that internet and email correspondence, as well as other communication platforms and file sharing, make up a huge part of everyday business, companies have been waking up to the fact that their employees need security awareness training to use these things correctly and safely.
Hackers target people
Once upon a time, hackers simply hacked the software or systems. Companies then invested in state-of-the-art firewalls and security systems which made it next to impossible for hackers to get in. So why do we still have breaches, leaks and theft of valuable private data?
Hacking people has become the way to go for cyber criminals. And it’s easier than getting through firewalls and code. Hackers now rely on employees, from administrators to on-floor staff, to make mistakes and let them in. This can be done through various ways, from regular phishing to spear phishing, false links or attachments, unpatched software, pop-ups, USB drops or tailgating, even good old-fashioned spying and eaves dropping.
The threats are everywhere, and one click of a mouse could mean the difference between thriving and failing. Therefore, more and more companies are realizing that they need a strong security culture and have started training employees in security awareness.
“That’s how employee training has always been done”
So, what kind of security awareness training have companies been offering their employees? Many have gone with the generic hour long (or more!) mandatory lecture on the threats and pitfalls of the internet. This type of training takes employees away from their important work and disrupts their workday.
Several studies have shown that employee training can be ineffective when done this way. This McKinsey & Company report found that only 25% of respondents felt that training programs had a measurable improvement on performance. Online training company 24/7 Learning published a study in 2015 that showed that only 12% of employees apply new skills learned in training to their jobs. Lectures and seminars are, simply put, ineffective.
Employees resent lectures
While companies spend hundreds of billions on employee training each year, keeping training going just for the training’s sake would be a mistake. Companies now find that they need to curate the training they offer towards the receivers. Mandatory security training that takes employees away from their desks, and effectively sets them back in their schedule, is not likely to succeed. And what’s worse, it gives a false sense of security. Employees will resent the training on principle and lose focus. Additionally, retention of knowledge will be minimal when employees arrive to their training with a negative mindset.
By 2025 millennials will make up 75% of the workforce. By now, they have already surpassed GenXers as the largest generation in the workforce. Used to watching videos, accessing social media posts, searching for retailers and products online and checking their accounts multiple times a day, millennials are used to getting their information quickly and in small pieces. This is also the case for other generations, everything outside of work, is delivered in small doses.
To train these employees we now need to think about how they are used to getting their information. Microlearning is a method that uses small moments of learning to drive employee development. It is short, to the point and builds on the employee’s general knowledge. Microlearning is a reminder of a previous knowledge or issue and based on short, repetitive learning to increase long-term comprehension.
Employee training that’s short and to the point
Studies have shown that employees are more likely to use their company‘s LMS (Learning Management Software) if the lessons are shorter. Long courses are harder to focus on and get in the way of productivity. Every company with a healthy respect for the cyber risks out there should want to offer only the best available training methods to their employees. It saves both time and money for the company and helps the employee learn and retain more knowledge.
Busy employees might not have 20 minutes to spend on a training course but getting them to spend 1-2 minutes learning about just one topic that will help keep their company safe will be much easier.