One of the great quotable movie scenes of all time is the scene in the third Indiana Jones movie, Indiana Jones and the Last Crusade, where the ancient Knight guarding the Holy Grail gives a heads up to the Nazi treasure hunter and Indiana Jones to “choose wisely”.
As you may recall, the Nazi chose the ornate golden chalice, believing it was “fit for a King”, while Indy chose the wooden “carpenter’s cup”. Indiana thought about the person, who Christ was, and what he would have used. A savvy metaphor for many decisions in life, and can also apply to how you choose cybersecurity awareness.
There are a range of cyber awareness training solutions on the market today, and some even offer some courses or functionality for free. Free is great, and it has its purpose and time, and can indeed be useful if you are just getting started or have no other options.
There are basically 3 types of cyber awareness training we’ve seen on the market (well TBH it’s our competitor analysis too so our work is now your gain!)
1. Freemium models
SOME of the content is free and then you pay when you need more (and you probably should always need more). So free upfront, but then will cost you to stay or cost you to move. So not free free.
2. Off The shelves
Off the Shelf “e-learning modules” single buy “courses” or cyber awareness video packs. Great cause they are cheap and scale. Bad because they are often old ineffective for any real learning or change- when was the last time you were motivated to change all your bad passwords because of one two-minute explainer video? So, yeah.
3. Platform Vendors
Platform Vendors deliver courses or learning programs through an online platform. Usually charged per user per year there is a wide range of styles, approaches, prices, and functionality- so it’s good to have a vision of what you need and what you want to get out of a program before you start down this road (for a guide on how to do this and free resources, check out our blog good better best HERE)
We’re assuming that you know what cyber awareness training is all about. You know that your company and its people need to learn how to become more cyber secure, and you’re now looking at solutions and learning how they work.
Here are a few helpful questions and facts that can help you as you decide what’s best for your company, your employees, and your budget.
What FREE oR cHEAP cOVERS:
Generic knowledge and compliance-focused content
The ability to capture a snapshot of awareness following the completion of a content element
Content that targets the many, without addressing the tools or demographic makeup of a business
Cheapest and quickest content production methods, so tend to look clunky or dated
Often need hosting so you can access data and reporting
Impersonal content which doesn’t always align with internal policies or standards, i.e. password length and complexity
Paid for add-ons to meet your needs
wHAT tHEY mISS:
Continual development of baseline and evolving security knowledge
Higher production values or an eye to creativity, this varying content quality in terms of graphics, sound, voiceovers, text readability, and more can actually have negative effects on user adoption and knowledge retention
A comprehensive program for change, so outcomes tick the box for compliance but don’t do the heavy behavioral change lifting required in so much of cyber awareness (don’t even get us started on passwords. One video does not make for habit breaking on password reuse, for instance).
Appropriateness of content to your audience, staff, internal policies, or standards
Generic feel with content that doesn’t relate to real-life scenarios that your staff may face
Reactive and departmental content
Can be dated or old fashioned
HOW TO CHOOSE A CYBER AWARENESS VENDOR THAT’S RIGHT FOR MY COMPANY?
Compliant with GDPR, PCI, local regulations
Provides meaningful metrics
Has supplementary content
Content for role-specific training i.e devs, c-level
Ability to report on completion by Manager and Department
Ability to delete or archive once the user has left
Ability to assign content based on departments
Bite-size courses with videos
Easy way to flag users that ignore tests/refreshers
Ability to send manual/auto-reminders to users/their managers that have ignored/not yet completed courses/refreshers
Cost per user
Idea: Why not set up a focus group to understand how other departments and seniority levels find each tool to see which meets the needs of a program and engages the masses.
Your wishlist doesn’t have to include all of the above, some listed may be more important than others, but make sure to understand what matters to your business and review each option against the list. We’re not saying don’t do it, we’re saying if you are going to do it, do it well.
COMMON CHALLENGES IN ROLLING OUT CYBER AWARENESS TRAINING PROGRAMS
Many larger organizations have rushed out programs or delivered dull content at scale and actually turned the sentiment of the users against them. From e-learning modules that go on for 40 minutes to repeating the same modules year after year for compliance- we have heard countless stories of people who felt bored, afraid, guilty, confused, and ashamed because of the cyber training experiences of yore. There is a better way.
If you didn’t start with the basics, if you haven’t trained on a holistic set of cyber and digital safety topics- now is the time to start. The cybercrime explosion, the complexities of remote working, and the still uncertain future mean that a clear, safe, easy path is not the future for all of our businesses. The journey to creating cyber secure humans isn’t complete with one slide deck, a few e-learning modules, or a short burst of ‘training’.
What do we mean by cyber-secure humans?
Well, that we know about and we take our digital selves and security as seriously as we do our home and car security. We know the local rules of the road when we get our driver's license, we (should!) know enough about how a car works and what to do (or who to help when something goes wrong like a mechanic). We know to lock it when we go out, to install layers of security when needed, and to always keep an eye on our surroundings. That’s what we are really after here at The Cybermaniacs, to help as many people as we can to take charge, responsibility, and be engaged with digital safety. (We can wax rhapsodic on this for hours, sorry, moving on).
So at the end of the day, free can get you from a to b. Or give you a quick start. But where on the alphabet do you want to be? Is your industry at greater risk? Is your team already pretty cyber-savvy or nah? Are your partners or customers concerned (and asking in a contractual form which many many more are to date), about the state of your cyber security?
Most of what is listed here in the FREEBIES are tasters; a comprehensive program ticking all your boxes will come at a price but will save you oodles of cash by developing a secure workforce, who are savvy and know their roles, responsibilities, and how to report their suspicions.
Trying something new or innovative can require a leap of faith. But the rewards are worth it once you cross to the other side!
Thinking longer-term, and not just about what will get you through the next audit means:
You will need to continue to educate, adapt, and motivate your team to keep skills sharp and stay up to date with the latest changes in tech and risk.
You will have to get past the basics and soon,
Only covering one or two risk or tech-based topics, like phishing alone, can leave gaping holes that cybercriminals are happy to walk on through.
Securing humans provides an extra level and line of defense for your company against cybercriminals and digital errors of all kinds. Remember, MOST data breaches rely on human error, action, or activity. Can you afford to not secure your humans through a shoestring awareness program?
Don’t let budget be a barrier to an awareness program, and free is better than nothing at all, understanding the caveat that it won’t meet many important requirements.