b'BUSINESS MANAGEMENTContinued from page 24How HR Builds a Human Firewall section of training, the employee answers a few In addition to network firewalls and other securityquestions to see if they have understood the safeguards, companies are investing in the creationconcepts. Then at the end of the module, they of a human firewall of employees who are educatedare assessed on their likelihood to follow the enough not to fall for phishing scams. As everyprinciples taught.employee now has a definite cybersecurity duty,Kron recommended that HR departments find it is up to HR to train them. This often takes placeways to automate training assignments and use during onboarding and in regular, usually quarterlypositive messaging when communicating about training modules to keep phishing alertness frontsuch programs. Having leadership reinforce the and center. Such training also covers passwordimportance of education and training programs can policy, breaking bad password habits and otheralso improve completion rates and reduce the effort areas of cyber-hygiene. required to ensure people are doing the training. The idea behind awareness training is, ChangeKron favors the deployment of shorter training everyones reflexes,Bihya said. If I see an emailsessions more often and with a more targeted and with a link, my reflex should be to not click on thethought-out approach.link. Unlike in the past, different types of training are now With human error being the path of least resistancebeing developed to communicate with employees in for cybercriminals, the need to bring awareness andthe form of games, animation, live-action teaching education to employees through security awarenessand even season- and episode-formatted shows training has been given more priority. It has becomethat look like high-quality television productions, clear that annual lunch-and-learn trainings are nohe said.longer enough. In addition, AI components are being introduced While providing people information does haveto tailor content provided to employees, based on value, changing behavior should be the focus oftheir own specific areas of weakness or the latest an awareness program, said Erich Kron, securitythreat vectors. Another development is point-of-awareness advocate at cybersecurity training firmfailure training to provide real-time guidance as KnowBe4. Education should not be limited to topicsto why an action taken by an employee could be that focus on email phishing, but also to overalldangerous. This helps people better understand the security hygiene, including how to secure accountsthreats they face and the purpose of the policies with multifactor authentication (MFA) and how toor security controls they may have inadvertently use tools such as password vaults to create long,violated, or the reason for the simulated attacks.secure, and especially unique passwords. Securityawarenesshasbeguntoblendinto programs related to physical safety and awareness, The Evolution of SecurityKron said. Just like safety campaigns that have Awareness Training been run for decades to warn people of dangers In recent years, security awareness training hasfrom machinery, chemicals and other physical evolved to incorporate adult learning principles andthreats, digital dangers will also be addressed in elements such as: the same way with signage and coordinated, highly Continuous awareness, training and educationvisible campaigns.on the cyberthreat landscape. Rather than text,Drew Robb is a freelance writer in Clearwater, Fla., most training modules use audio and visualspecializing in IT and business.elements with characters acting out scenariosReprinted with permission from SHRM.org.2023. All rights of good and bad behavior. reserved.An opportunity to apply what has been learned using simulated programs, where fake phishing emails are sent out at random times to people in the organization to see how many are tricked into clicking on malicious attachments and links.Assessments and quizzes. At the end of each www.mrca.orgMidwest Roofer 25'