Interview with Cédric Herregodts (Director Flowsparks)
‘Data classification is becoming increasingly important in cyber training’
Many companies are using e-learning to train their staff in cybersecurity. What (new) topics are being covered? And what are the advantages and disadvantages of online training? Cybersec asked Cédric Herregodts, director of Flowsparks, which provides software for creating online cybersecurity training courses, among other things.
TEXT: PIM VAN DER BEEK IMAGES: SHUTTERSTOCK & FLOWSPARKS
A much-needed competence in online training of cybersecurity staff is data classification, says Herregodts: ‘It is increasingly important for employees to learn how to handle data and have a basic knowledge of data classification. Partly as a result of digitalisation, organisations have more data at their disposal. This brings opportunities, but of course also risks. Understanding the risk of data, knowing what data can and cannot be shared, what level of protection is required and whether information is public, confidential or even highly classified is crucial,’ he says. ‘Especially as laws and regulations around data sharing become more stringent.’
The second skill he sees reflected in the training is ‘secure behaviour’. The Flowsparks CEO: ‘Know-how around prevention is changing. Where previously the focus was on setting up a strong password, concepts such as single sign-on (SSO) and multi-factor authentication (MFA) have become essential.’ Again, he says, it is important that people understand the importance and operation of such constructs and know how to work with them. He advises users of their software to use real-life examples as much as possible in training sessions, to make it clear that human error is usually the cause of incidents.
Social engineering
The third topic that is increasingly appearing in online training is social engineering. ‘This is where cybercriminals use subtle manipulation by interfering in the personal lives of employees. By building relationships of trust, they are able to surreptitiously obtain sensitive information such as passwords and company data,’ he explains. Training courses are increasingly focusing on how to recognise these tactics and how employees can be alert to suspicious contacts. Herregodts: ‘While traditional security measures often focus on technical vulnerabilities, social engineering focuses on the human factor. Making employees aware of the dangers and training them to recognise deceptive approaches is an important step in preventing valuable business information from falling into the wrong hands.’
‘Making employees aware of the dangers and training them to recognise deceptive approaches is an important step’
Cédric Herregodts (Director Flowsparks)
It is also increasingly important to have a clear process for reporting data breaches, argues the director of the digital learning module software provider. ‘If an organisation is a victim, employees need to know what to do and have knowledge of GDPR obligations. But it’s also about very practical issues. Someone has hacked your computer, so you make sure it is disconnected from the network as soon as possible, you close your laptop and take it to the ICT department.’
E-learning vs. regular training
With e-learning, says Herregodts, organisations can be more responsive in the event of an incident and reach people much faster. ‘The organisation and the environment change every day, and regular training cannot keep up. If people don’t have the right knowledge, your organisation becomes vulnerable. An e-learning programme can be put in place on an ad hoc basis and strengthen the resilience of your team,’ he argues.
More and more technical knowledge is also required of employees. But this can be different for each individual, as the Flowsparks director points out. ‘The data that people in different departments or functions come into contact with varies, so the generic examples will not apply to everyone. The situations in which data breaches can occur are also different. Employees in certain roles, such as help desk staff, are often more likely to be exposed to social engineering than others.’
He also believes that e-learning can increase employee engagement by offering realistic scenarios where employees make choices in cases that are truly relevant to their own organisation. ‘This interactive approach makes the learning experience more tangible and helps employees remember key information. Realistic scenarios also help employees to ‘put themselves in the situation’ so that they actually know what to do if they find themselves in such a situation.’
Interaction with the ICT department
He lists several additional practical benefits. Employees can take e-learning at a time and place convenient to them, which increases both their understanding and the effectiveness of the training. E-learning programmes can often be automatically translated into the learner’s native language. ‘This is particularly important in international organisations. Organisations also get digital insight into who has taken a course and can send automatic reminders.’ This can reduce the administrative burden, he argues.
According to Herregodts, companies can also more easily personalise digital learning programmes for employees who need additional or customised training. The only disadvantage, he says, is the distance between the department (e.g. ICT) and the employee, which can be slightly greater with e-learning. With an online course, there is sometimes less direct interaction between the trainees and the ICT or security department, he argues.
Flowspraks provides the software to create, translate and distribute e-learnings. They can also customise them together with the customer. The content and domain knowledge is always sourced from the customer.
