For most employees, taking their required yearly cybersecurity training is much like going to the DMV. Everyone has to do it, and no one enjoys it. But the number of threats to your business is growing as fast as the national debt, so what’s to be done?
You probably know this story well. It starts with a declaration from the CISO: “We need security training!” The business as a whole groans and grudgingly accepts the loss of several productive working hours to participate in mind-numbing, online training requirements. The boxes are ticked, and most of the content is forgotten until next year.
The problem with this regular cycle of stand-alone training is that it gives the business and its employees a false sense of security, literally. In spite of this kind of training, employees continue to succumb to the efforts of professional phishermen and “click this link” in their emails. According to the 2018 Verizon Data Breach Investigations Report (DBIR), only 78% of people *didn’t* click on a phishing link in the previous year. That’s 22% of people—including your employees—who don’t have awareness or capability to recognize when a malware creator has upped the game and wrapped their latest ransomware in a different and more credible looking package.
Getting better results comes from focusing on more than annual training. What is needed is an organizational culture shift toward one that values and rewards security awareness.
A fully developed and continual security awareness program not only brings timely and helpful threat mitigation practices in an arena where the threat is constantly changing, but also helps create a change in organizational culture that makes employees more proactive and empowered. Like training your SIEM to parse out a specific error message, training your employees about a specific threat is useful, but ultimately limited.
Clearly not all of your employees need to become cybersecurity experts. But you can create an atmosphere where employees receive continual, contextual guidance, are proactively thinking about the consequence of their actions, and understand the impacts that a successful cyber attack could have on the business.
Great—but how do you get a distracted or disinterested employee base to want to think about security? The simplest answer is this:
Incentivize Good Security Decision Making
Find ways to promote security awareness by incentivizing employees to learn more, do more, and think more clearly about their choices while online at work. Use gamification to promote competitiveness or to simply make the training “stickier.” For that matter, use more examples of how good security decisions protect not only the organization, but also the employee and their family. The key is the incentive part, using a carrot and not a stick. After all, it’s tough to motivate employees to think critically about protecting an organization if they have no skin in the game other than the threat of “getting fired or written up” if they do something wrong.
Use the Right Tools
Ultimately, it will take more than just security awareness and annual training to protect your business from cyber threats. Here at Interfocus, we build tools that can help organizations improve their visibility and exercise control over their IT infrastructure. Good tools, combined with a positive and empowering security awareness program, provide the kind of defense in depth that every organization needs but that so few actually have.
Both are needed because no employee, no matter how well trained, will defeat 100% of threats 100% of the time. Threats are becoming increasingly complex and are coming at users in ways that even the most technical are falling victim to. Without solid tools sitting behind your security awareness training, you’re putting all of the risk and all of the blame on your people— and that’s a lose-lose scenario.
Some tips on improving engagement with your security awareness program:
- Gamify everything to incentivize excellence
- Make it personal by teaching employees how to protect themselves online, not just the company
- Use storytelling, because a well-told story about a cyber attack can teach more lessons than a point-and-click PowerPoint any day
- Teach employees about insider threats by showing them directly how their decisions can create vulnerabilities where none existed previously
- Make it okay to ask questions. IT teams often discourage users from asking questions or do a poor job of explaining the “why” of a security decision. Bring the organization together with IT to improve communication and encourage the free exchange of ideas and concerns
Learn how Lanscope Cat can provide a platform that continually engaged with your employees while they do their jobs, providing real-time interaction to ensure they are aware and comply with your security policies.