5 ways to train your employees on cybersecurity

If you ask your employees, they will tell you that they are careful online and protect both their personal information and the company’s data. In reality, many staff members are taking unnecessary risks online that can compromise your business.

To be safe, you must train your staff in the best cybersecurity practices available. Fortunately, many of these practices are simple and not particularly time-consuming. And yet they can be the difference between a security breach and the safe handling of your data.

When management follows a comprehensive training plan, your company’s cybersecurity becomes much stronger. Here’s what you need to cover in that plan.


Protecting your passwords is one of the easiest precautions to take, but management and employees often take shortcuts in this area to save time and to avoid memorizing multiple passwords. You should train your employees to create more complex passwords that contain letters, numbers and symbols — but are drastically different than earlier passwords. Most employees stick to similar, more familiar passwords that hackers can easily figure out.

Experts recommend requiring password changes several times a year to limit the damage any hacker can do. But new guidelines reflect that changing company passwords as often as every 30-42 days doesn’t greatly enhance security. Because hackers have such sophisticated methods now, monthly changes merely cost your company in lost productivity. However, email accounts and accounts without two-factor authentication should continue to be changed regularly.

Regulatory and company data policy

Almost every industry has specific rules for handling company data. Your business probably has its own policies in this area. Every new employee should be trained in their data protection responsibilities when they are hired.

At least once a year, employees should take a refresher course on data protection rules. For instance, anyone working within the healthcare industry must learn how to protect patient information according to HIPAA regulations, especially in online communications. If they don’t, then they risk exposing their company to lawsuits and fines.

Unauthorized software

You must train your employees to never download unauthorized software and then reinforce that message whenever possible. Even seemingly innocuous programs can cause companywide problems if they are infected with a virus or malware.

Because employees may frequently download free software at home, they might not even pause before doing so at work. This simple mistake can compromise your company’s productivity for hours, if not days, and cost your business an alarming amount of money.

“Live Fire” training exercises

One of the most effective training methods is simulated cybersecurity attacks set up by the IT department or an outside company. Employees are expected to react to these attacks in real-time, and then afterward, they’ll receive coaching on how to avoid any mistakes they might make during the drill.

For instance, some companies create simulated phishing attacks (malicious emails) to see how many people will click on them. The IT department can take the results and help the staff identify phishing expeditions from legitimate communications. This can be extremely valuable since most people learn better from experience than from lectures or handouts.

Modern training methods

Experts recommend making cybersecurity training positive instead of negative. Instead of frightening employees with adverse consequences for making online security mistakes, try rewarding employees who follow best practices. For instance, award employees who do not fall for “live fire” phishing attacks with modest prizes. Gift certificates or several hours of comp time are excellent incentives that don’t cost your company much but may encourage more cyber diligence.

In another example, high school students who played the computer game “Security Empire” improved their cybersecurity awareness. During the game, players become business owners. They suffer if they make security mistakes but advance if they’re consistently cyber aware. This game-based training can also work for adult staffers — it’s definitely a more engaging activity than another boring cybersecurity meeting that’s complete with a PowerPoint presentation.

Cybersecurity peers

Your company can benefit from appointing cybersecurity “advocates” or peers. Choose a tech-savvy person in each department to openly monitor cybersecurity practices and offer friendly coaching to those staff members who need help in this area. Often, an encouraging word from a peer is much more effective than guidance from management.

These cybersecurity peers can also offer suggestions to management about new methods to keep data secure based on their observations of department practices and processes. Plus, involving employees in cybersecurity makes it a team effort and not just a management concern.

Even employees and managers who know better than to take security shortcuts can become lax over time. To maintain security consistency, employ regular training on multiple fronts and supplement the occasional company-wide meeting with “life fire” exercises or peer support.

Think about engaging a third-party expert to help protect your sensitive data and suggest security improvements. Protecting your network at all levels from hacking and other cyber attacks can save your business from a world of unnecessary hurt.