(5 min read)
Here at Psybersafe our goal is to give people an interesting, useful and amusing way to develop safer cyber security behaviours, through tips, tricks, and interactive online training episodes.
We make a ‘dry’ subject relevant and useful, so people can actually use what we share in their daily lives.
We seem to do a pretty good job, judging by the feedback we get.
But let’s be honest. Not everybody gets excited about everything you, or we, get excited about. And so, when it comes to designing or delivering necessary training on topics that people don’t find particularly fun or interesting, you need to work harder to get the message across. This is especially true if you want the training to be more than just a ‘tick in the box’ and really help you or your organisation. The subject matter may be critical, but if your colleagues don’t see that, or have a chance to engage with it, they simply won’t take it in.
So, where do you start?
If you want to do this effectively, look at your subject from the learner’s perspective. Here are some basic rules we live by when we are developing our own training:
- Keep it relevant for the individual: the more we put the learner first, the more relevant the training will be. Link it to the company’s needs, sure – but make it relevant to the individual first.
- Give people a chance to actually do what you need them to – make any learning interactive, so that people are putting learning into practice as soon as possible.
- Make it easy to do – we’re all busy, so remove as much friction as possible. The easier something is, the more likely people are to do it. Which leads to the next point...
- Keep learning modules short – we'd suggest under 10 minutes. Any longer and it starts to impact on people’s days, and lead to fewer people completing the training.
- Repeat the essential information that people need to take on board – little and often is far more effective than a video or seminar every few months.
‘Do this’,’ do that’,’ don’t do this’ - that approach is not going to change people’s behaviour. Instead, you have to address people’s Capability, Opportunity (to do the thing you want them to do) and Motivation. This is a proven behavioural model called the COM-B model that helps design truly effective training.
Let’s take NIS2 as an example. It’s a European law related to cyber security which comes into effect in October 2024. It impacts most companies in the EU, but also those outside the EU working with European companies. Plus, it won’t be long before other countries start adopting it – the UK, US, Singapore for example will align fairly soon. Not particularly exciting for most of us. But very important.
What is NIS2 and how can it possibly be fun?
The original NIS (Network and Information Systems Directive) came into force in 2016. Cyber risks are now much greater and critical data and system operations are increasingly a target for ever more sophisticated threats. NIS2 is the EU’s response. Published in December 2022, EU member states have until 17 October 2024 to adopt it nationally.
Why should I care?
If your business or organisation deals with any larger European company – you WILL be affected. EU companies will have to demonstrate that their suppliers are not putting them at risk and that means you will have to demonstrate to them that you are a secure company!
NIS2 has stricter requirements for risk management and incident reporting, covers more industry sectors and has heavier penalties for failing to comply.
As Psybersafe does with its cyber security awareness training, if you want people to pay attention to NIS2 – and you should be aware of the basics at least – you need to demonstrate why they should pay attention.
Ask yourself:
- What’s specifically relevant for them, or
- What’s in it for them, or
- How will it affect them?
For example, if you’re an ‘essential’ or ‘important’ entity, you need to regularly train staff. If you don’t you could be fined – a lot. Not only that, managers may be held personally liable for infringements – that should get your attention, shouldn’t it? And if you want to work with one of these in-scope entities, they’ll want to make sure you do train your staff. So, it’s very much a business issue! And everyone in your business needs to be involved to make sure you comply. So now is a good time to start looking ahead at how you might provide relevant, useful and even fun training to help your people get their heads around the new requirements.
Check out our brief note on NIS2, and now that it’s becoming mandatory, contact us for cyber security awareness training that works…?
Sign up to get our monthly newsletter, packed with hints and tips on how to stay cyber safe.