How to equip NHS staff with cyber security skills they will use
- 30 October 2024
Too often, cyber security training is a seen as a burden. But it is possible to make it relevant and useful, writes Nasser Arif
The NHS is made up of a very diverse workforce. Whether you are an experienced brain surgeon or the administrative clerk that keeps the entire system moving forward, there is a form of mandatory training that you are expected to complete.
Modules such as infection control, fire safety and resuscitation teach lifesaving skills to our staff members. Cyber security training on the other hand is often seen as a burden.
We have become used to clicking our way through it and answering questions. Mandatory training often focuses on the theory behind topics such as phishing and ransomware. We may love reading about these as cyber professionals, but can we be confident that staff are using this knowledge effectively?
The increasing number of cyber incidents suggests otherwise.
How can we supplement mandatory training and equip staff with cyber skills that they can use?
Keep it relevant
As cyber professionals, we enjoy learning about the latest threats and risks. However, we need to accept that not everyone shares this passion. We should not fall into the trap of expecting our workforce to be fascinated by the theory behind cyber-attacks.
Cyber training should be relatable and highlight scenarios and threats that our workforce experience in their day to day lives. Effective cyber training can not only protect staff, but also make them more efficient at using the digital tools that we rely on.
It is great that we teach staff about the different forms of phishing. However, why not take it further and show real examples of these from the workplace? Let’s show our workforce what the actual threat looks like, not just the theory behind it.
You may find that staff start noticing patterns in these phishing attempts and as a result, are better placed to detect and report these in a timely manner.
Make it personal
Cyber security risks exist both in and out of the workplace, so it is important to focus on improving core cyber behaviours.
Whether it is the creation of unique passwords, enabling multifactor authentication (MFA) or locking down social media accounts, these core skills improve our personal cyber resilience, which we then bring into the workplace.
Empower your workforce to find their inner cyber defender.
Location, location and location
A diverse workforce requires diverse training methodologies. Utilise various mediums to communicate key messages:
Lunch and Learns
Use your organisations online meeting tools to provide accessible and flexible training options behind a desk or on the go via mobile. Make these virtual sessions fun, interactive and most importantly, optional. Capture the attention of those who want to spend their free time learning more about cyber security and they will pass on key messages to colleagues around your organisation.
The face of cyber
In person pop-up stands at company events or festivals add an element of creativity to your cyber training. This is a prime opportunity to interact with staff from all backgrounds and show them the human side of cyber security. Similarly, visit departments in person and deliver training which is relevant to them. Build relationships with the people you are protecting so that they feel confident in reporting the risks they identify.
Simulate
Gamify cyber security and encourage key staff to take part in simulated exercises. Give them practical insights and tools that can be used during an actual crisis.
The ‘one size fits all’ approach never works when educating a diverse workforce. We need to adapt our training styles and channels to the audience at hand, be it clinical or non-clinical. And we need to find a medium which suits the working environment they are in.
The changing threat landscape demands that we innovate and continuously improve our training methodologies.
Cyber awareness will never be ‘perfect’ and is a marathon, not a sprint. What’s important is whether we are moving forward in this journey or standing on the same spot hoping for behavioral change to occur with no action on our part.
Nasser Arif is cyber security manager at London North West University Healthcare NHS Trust and The Hillingdon Hospitals NHS Foundation Trust.