[caption id="" align="alignleft" width="350" caption="Training Fragmentation"]
[/caption]
More and more, you see training companies promote their security awareness training products as 'modular' as if that is something good. It's not.
They break their training in small modules, split up by security topic, and say that this is better. It's not.
They say that this is the way people learn and work. It's definitely not.
They claim that short lessons are easy to learn. That is patent nonsense. Is a 10 minute lesson in astrophysics easy to learn?
They say that one lesson a month, each with a different security awareness topic, is the best approach. Unless you have an extremely secure environment, it's actually an invitation to a data breach. Would you install a firewall and slowly, over time, block the ports you need to defend?
There is a massive problem with this approach: Security Training Fragmentation causes a Knowledge Gap
Our apologies if we sound a bit hot under the collar, but at KnowBe4 we are passionate about security. Perhaps other types of training can be drawn out and fragmented, but we are dealing with IT security here, and employees are the weak link!
[/caption]More and more, you see training companies promote their security awareness training products as 'modular' as if that is something good. It's not.
They break their training in small modules, split up by security topic, and say that this is better. It's not.
They say that this is the way people learn and work. It's definitely not.
They claim that short lessons are easy to learn. That is patent nonsense. Is a 10 minute lesson in astrophysics easy to learn?
They say that one lesson a month, each with a different security awareness topic, is the best approach. Unless you have an extremely secure environment, it's actually an invitation to a data breach. Would you install a firewall and slowly, over time, block the ports you need to defend?
There is a massive problem with this approach: Security Training Fragmentation causes a Knowledge Gap
- You want all your employees, as soon as possible, to understand and be armed against all attack vectors.
- Employees should get all the important online dangers in one training session, integrated and reinforced multiple times within in that initial training session. That is the only responsible way to deploy security awareness training.
- With all employees knowing all the online dangers, there is group agreement and peer pressure in the direction of secure behavior.
- You don't want to start with training them about phishing and only weeks or months later train them about social networking. That leaves a social engineering hole big enough to drive a truck through.
- If you want to keep all employees on their toes with security top of mind, do that with continued testing. Sending a simulated phishing attack once a week is extremely effective to keep them alert, and a proven way to dramatically decrease their Phish-prone percentage.
Our apologies if we sound a bit hot under the collar, but at KnowBe4 we are passionate about security. Perhaps other types of training can be drawn out and fragmented, but we are dealing with IT security here, and employees are the weak link!
