“You Need Cyber Training” — Ok, now what?

The term “cyber training” is almost as broad as someone saying you “need new clothes” — without context, you could easily choose (or do) the wrong thing. 

In the case of clothes, that might mean wearing sweatpants to a fancy dinner. In the case of cybersecurity, attending the wrong kind of training could result in learning about the wrong things—or not learning about critical protections that are relevant to your role.

What is cyber training?

Cyber training is the overarching term for any kind of human education around cyber topics. 

It’s typically designed based on a few factors:

• Who you are (e.g. non-cyber individual contributor, cybersecurity professional, executive, public persona, etc.)
• Your level of technical proficiency (e.g. if you work in IT compared to field sales)
• How exposed your role and organization are to cyber threats (this will depend on industry, company size, etc.)

While every organization’s training will look different, here are some things to keep in mind.

Why is my organization bringing in cyber training now?

First, cyber threats are increasing—both in type and frequency. For example, 2023 saw a 72% increase in data breaches compared to 2021.

Unfortunately, employees are increasingly caught in the fray:

• Individual employees are targeted to gain access to sensitive systems. For example, impersonating an employee and reaching out to IT for “help” logging into the company intranet. 
• Hackers may extort individuals personally, for example stealing your personal banking details and threatening to take your money unless you help them.
• Third party attacks, like a watering hole attack, could mean hackers get your personal information and use it to impersonate you or log into your systems.

Second, leaders want to keep their people safe. At the same time, they need everyone to be aware of what’s going on and how to protect themselves—it’s no longer possible to handle cyber threats from a central department. 

That’s where training comes in: it’s great for building overall awareness of the little tricky ways hackers can threaten you online.

What are the different types of cyber training?

While every company’s training will look different, you’ll typically see three different segments: 

1. Executive training: This training focuses on planning and strategy around cyber. Details may include mapping your attack surface (i.e. all the ways a hacker might breach your system) and identifying key assets that need protection. From there, it’s planning the multiple layers of security necessary to protect those key assets.

2. IT training: This training goes into the little technical details of cybersecurity, including technology set up, penetration testing (i.e. a planned internal “attack” to identify system weaknesses), and incident response planning so everyone knows what to do in the event of an attack. 

3. Non-IT employee training: This training prioritizes all the day-to-day ways people can stay safer online. A key part of this is a focus on the individual outside of work. It’s not just about keeping company logins safe, but staying safe online in general. 

For example, this training typically includes details around cyber hygiene, such as understanding where your pictures might be published online without your knowledge or how to ensure your personal information isn’t being used by apps without permission.

Isn’t this just more compliance stuff?

Unfortunately, cyber threats are a reality in our digital world—and the only way to stay safer is to learn what those threats are and learn how to protect yourself. 

As more individuals are victims of cyber attacks outside of their workplace, training is not just about the company, but the individual (you).

The key for individuals is to attend the right training for your needs. Then it’s about continuing beyond the training session, bringing regular practices (and trusted technologies) into your regular work.

This post originally appeared on the Connected & Newsletter by Protexxa. Subscribe now to get more insights directly in your inbox every two weeks.

The Cyber Detail: Headlines

• The board’s role in cybersecurity governance (CIO Magazine): CIO and board member Julie Ragland provides guidance on governance in the era of digital risk.

• New Mac update reportedly breaking cybersecurity software (TechCrunch): The new update reportedly is breaking the functionality of many enterprise cybersecurity tools. 
• Canada, US, and UK governments collaborating on AI and cyber initiative (ComputerWeekly): The countries will jointly research, develop, test and evaluate new technologies for AI, cyber and information domain-related technologies.

Cyber events to know about:

• Elevate Tech Festival: October 1st-3rd, Toronto. Protexxa is sponsoring the Secure & Protect content track.
• BSides InfoSec Conference: October 19th, New York City.
• MISA Ontario 2024 InfoSec Conference: October 28th-30th, Markham/Toronto

Training, your way

✅ If you don’t know, ask — if it’s about security, there’s no such thing as a stupid question

✅ It’s not just business, it’s personal — focus cyber trainings on keeping individuals safer, not just “business needs”

✅ Cyber safety doesn’t stop when training ends — use what you’ve learned, don’t be afraid to look up new terms, and keep an eye out for scams as you continue working

ICYMI: Cyber headlines that still matter

Craigslist founder pledges $100 million to cybersecurity philanthropy: The entrepreneur said it’s critical to back people protecting the country from cyber threats.

New NIST and CTEM standards: The combined framework is meant to better help identification, detection, protection, response, and recovery. 

Institutional investors are stepping up cyber response planning: Reportedly, the increase in frequency of cyber attacks was a motivating factor. 

Subscribe to Connected & Protected to get more insights directly in your inbox every two weeks

→ Don’t forget to follow Protexxa on LinkedIn