Research by Verizon indicates that 85% of successful data breaches involve the human element in some form. This is particularly alarming to business owners and managers, who are investing in advanced cyber defense systems just to see them fail due to a lack of personnel cybersecurity awareness.
A new report on cybersecurity resilience by Accenture claims that 82% of Chief Information Security Officers say their budgets were increased in the last year, and 31% say they are witnessing a growth in the average number of attack attempts their organization has to repel.
To successfully fight the threats, organizations have to make employee cybersecurity training a top priority.
“Cybersecurity training really goes a long way,” said Juta Gurinaviciute, Chief Technology Officer at NordLayer, a cybersecurity provider. “In most cases, no matter how sophisticated the cyber threat is, it still needs to exploit human psychology to prevail. That is why cybersecurity training should take front and center when defining cyber defense strategies for organizations.”
However, getting the personnel engaged can be a difficult task – but not impossible.
5 ways to make cybersecurity training stick
- Make it engaging. Legacy cybersecurity training programs are often perceived as boring, not engaging, and daunting while being far and few in-between. This static approach to cyber awareness training cannot prepare the modern workplace for the current security climate. Instead of forcing their employees through pages upon pages of policies and PowerPoints, modern training systems are based on continuous learning. In such an approach, long, twice-a-year training events are replaced by frequent tasks that are quick to complete but build good habits. Additionally, real-life situations are being stimulated, and new ways of cyberattack are added to the program as it evolves. A Training regime of this kind breeds safe behavior and awareness, not just theoretical compliance.
- Gamification. Yes, managers find it challenging to get the company personnel to engage in cybersecurity training. That’s why gamification is often one of the best ways of doing so – if it does feel like a game, it tends to stick easier and be less daunting. Incorporating various challenges, levels to reach, and rewards helps imprint safe cyber practices into the company culture. Adding a cybersecurity leaderboard might boost motivation for some, but business leaders need to make sure it doesn’t alienate the less competitive part of their workforce.
- Personalized training. When designing cybersecurity training, those in charge must be aware that they are not trying to teach a homogeneous group of people – the employees differ from person to person, from role to role. In response, the cybersecurity training programs that work best can be highly personalized and are people-centric. Decision-makers need to make sure the training messages are personalized to the person’s prior knowledge, company role, age, among other qualities. To reach the best possible results, even the language, branding, and delivery model used should fit the audience.
- Concentrating on the positives, avoiding FUD. Fear, Uncertainty, and Doubt (FUD) might seem like a good tactic to get employees serious about cybersecurity, but it appears to be ineffective, according to research by Dr. Karen Renaud. She found that instead of establishing safe cyber practices among personnel, it creates the boy-who-cried-wolf effect, where legitimate security warnings are not taken seriously. Additionally, the employees are put in a state of constant anxiety, which translates into poorer decision-making.
Instead, those in charge need to democratize the process, provide adequate resources, and remove possible obstacles. Designating a ‘cybersecurity expert’ at every department to support their colleagues is an excellent place to start – these will be familiar people who already have built trust within their team, making the ongoing training process far more accessible. Additionally, providing resources that make following the security protocols more accessible is a must – for example, if using unsafe passwords is a company-wide issue, buying password managers would work better than convincing employees to come up with and remember strong passwords in their own ways.
- Variety. Too much of the good thing can hurt, and too much of the same thing certainly impedes achieving the desired result of a security awareness program. When designing cybersecurity training, managers need to ensure the variety of the learning content. Some people are better at learning from videos, while others tend to prefer reading. Engaging programs cover different mediums, find creative ways of reaching the employees, and don’t do the same thing repeatedly.