3 breaches in the month of October… Where are we going wrong with Information security training?

It’s Monday morning in the busy life of a compliance officer. Fresh off a great Strictly weekend (you still can’t get over Helen’s exit) you are absolutely raring to go, ready to attack the week. As your monstrously slow machine turns on a flood of emails appear. There has been a breach, the mother of all breaches, the Titanic of all breaches. “How has this happened?” you wonder aloud, “we’ve just rolled out a suite of information security elearning!” “We’ve blown most of the compliance budget on these courses” a nearby colleague mutters grimly.

With seemingly a breach every week since October, I’m sure this is a scenario that has played out in many organisations.  But the fact is information security is changing.

Companies are not only subject to the risks of web breaches and hacking attacks.

In fact, the ICO highlighted that the majority of incidents investigated in 2015 were related to either data posted or faxed to an incorrect recipient or loss or theft of paperwork or unencrypted device. In other words, the majority of breaches have something to do with both weak points in infrastructure and simple human error. We can control the first one centrally, but not the second. We rely on our people to protect our businesses.

The consequences of breaches are also changing. If the EU’s updated Data Protection Regulation comes into effect, organisations could face cost sanctions of between 2% and 5% of their global turnover. Not to mention the millions of pounds in one off costs responding to incidents.

This led me to think, “What are organisations doing wrong?”. Our compliance elearning seemingly has all of the bells and whistles. Mobile enabled, flashy animations, cool games. We have the lot. But why aren’t learners successfully applying behaviours from the learning to their jobs? Why, despite millions spent on training, do breaches still happen.

Recently I’ve been reading The Six Disciplines of Breakthrough Learning, published in 2006.  The book provides a framework for learning professionals that want to deliver learning programmes that make a positive business impact. One of the book’s six ‘Ds’ struck me.  ‘Drive follow-through’.

The authors stress that value is created when knowledge is put to use. It’s the manager’s job to stay in contact with the learner and help them apply what they have learned. Question: Are we doing all that we can to ensure that learners are applying the learning to their jobs? Or are we leaving the achievement of learning objectives to the individual?

Organisations spend billions on training each year with a learning transfer of 10-15%. What about the other 85-90%? Are we resigned to the majority of our training being classed as a waste of time? Cutting edge organisations drive the transfer of learner by actively managing the learning transfer process. According to the authors, 75% of training fails post-training.  They endorse implementing post training activities such as scheduled feedback sessions to assess the state of learning transfer.

I know I know it sounds too simple but let’s think this through. Modern businesses tend to have constrained learner seat time in which drive long term behaviour change. This tends to lead to a pretty intense experience where we throw content at the learner and expect it to stick. By focusing on the long term ‘follow-through’ of content we give the learner a more focussed period in which to make that change and in turn will see the benefits in terms of increased performance. Yes, it does take more time to do this. But it will cost you less than a breach.

At Saffron we’ve increasingly seen the role that blended learning plays in the delivery of training. As my colleague Ruth mentioned in a recent blogpost, our flipped approach to blended learning focuses on performance. We are progressively making elearning the ‘main event’ or primary learning interaction, with other elements such as classroom sessions and coaching feedback sessions used in a more surgical way to drive the follow through of the learning.

Rather than leave learning transfer to chance or relying on the classroom for ‘real learning’, we are putting the learning experience in a digital form and using face to face time (not necessarily classroom-based) to drive the all-important follow up.

Ok close your eyes, imagine a world where compliance courses are not just merely a tick box exercise but rather an opportunity to drive real behaviour change that impacts business performance in a positive way. Hey! Presto! Open your eyes, that world exists!

We have developed information security courses that focus not on dry statutory features but are created with the learner in mind. How does Saffron combat human error? By simulating what protecting data looks like to the learner in their day to day work in a personalised way. And we take a continuous approach to learning transfer, understanding that one intervention, no matter how flashy, isn’t enough to change the hearts and minds of learners, we need to go further.

So don’t be the compliance officer at the beginning of this post. Don’t see your job as done once the SCORM completions come in. Focus on the long term change in the behaviour of your learners and discover blended data protection training that really does boost performance and stop breaches from happening. Get in touch with us now!