With over 90% of successful cyber attacks requiring human interaction, your people are now the number one point of entry for cybercriminals looking to harm your organization. And, in most cases, these threat actors don’t break in at all. They are let in via an errant click or a reused password (opens in new tab).
Adenike Cosgrove is Vice President for cybersecurity strategy at Proofpoint (opens in new tab).
In other words, cybercriminals are consistently, and correctly, viewing your people as a gateway to sensitive corporate data (opens in new tab) and more. In response, many organizations have implemented security awareness training to stem the tide. But the situation is far from perfect, with just 28% currently running a comprehensive training program more than twice a year.
Even where training is more regular, organizations around the world are coming up against a disengaged and often indifferent workforce. Research shows that users continue to exhibit risky behaviors and often ignore security (opens in new tab) best practices – 42% admit to taking a dangerous action such as downloading malware (opens in new tab), and 56% allow friends and family to use employer-issued devices.
Clearly, awareness alone is not enough to change behavior. We only need to consider how many people still smoke despite clear and repeated warnings for evidence of that.
Yes, raising awareness is vital, but it is just the first step on the road to a cybersecurity (opens in new tab) culture where best practice becomes standard -- and falling short is no longer tolerated by anyone. The only way to create this culture, and stop staff ignoring best practices, is to keep users engaged at every step. Here’s how.
Mix it up
While regular reminders are great, if you deliver the same message repeatedly, there is a danger that staff will zone out and ultimately become disengaged with the process.
We’ve seen clear evidence of this over the past year, with awareness of key phrases falling, sometimes significantly. In this year’s State of the Phish Report, just over half (53%) of users could correctly define phishing, down from 63% the previous year. Recognition also fell across common terms like malware (down 2%) and smishing (down 8%). Ransomware (opens in new tab) was the only term to see an increase in understanding, yet only 36% could correctly define the term.
This highlights the need to keep security awareness training fresh. Be sure to deliver it in as many places and formats as possible. The more varied the ways your cybersecurity message is reinforced, the more likely it is to be retained.
Tell a story
Most users are not cybersecurity experts, nor do they commonly wish to be. So, they’re unlikely to relate to buzzwords, jargon and dry statistics. Present the process of cybersecurity as a story. Go step by step to show users how a simple behavior like falling to correctly close down a program, using an unauthorized device or clicking a malicious link opens the door to cybercriminals.
There are plenty of real-world examples to help you out here. In recent years, you can take your pick of high-profile incidents from LinkedIn, Equifax, Cognizant, Twitter and many more. You can also go even further, tailoring these stories to job roles, departments and bad habits to plot a clear path between today’s actions and tomorrow’s consequences. The more personalized your delivery, the more users can relate – and the faster behavior changes.
Adjust and adapt
The threat landscape is constantly evolving. Your training program must do the same. Training should be relevant to the threats facing your organization today.
It should educate users on the motives and methods of common attacks and where they are most likely to encounter them. Most importantly, users must understand how they may be manipulated into an action – and the potential consequences of taking the bait.
Conduct research into the most attacked people in your organization and the types of attacks they face so you can deliver training in context with their everyday. With this information, you can deliver simulations based on real-world examples to help users learn how to put their training into action when it matters most.
Make it fun… seriously
Cybersecurity training may not sound like most people’s idea of fun, but there are plenty of ways to keep it positive and even enjoyable. Deliver training in short sharp models, and don’t be afraid to use different approaches such as animation or humor if it fits well into your company culture.
Making security training competitive and turning it into a game can also aid the process. The gamification of training modules has been shown to increase engagement and motivation, as well as improving attainment scores in testing.
For maximum impact, training and education should not feel like a chore. The more enjoyable you can make the experience, the less resistant your people will be to taking part – turning security indifference into security action.
Make cybersecurity every day
There may have been a time when the day to day of cybersecurity was handled by IT teams and administrators. But that time has long passed. As we continue to send, receive and process masses of data every day, in both our work and personal lives, cybersecurity is all around us. Cybersecurity best practice should be all around us too. And with tailored, engaging and continuous security training, it soon will be.