Cybersecurity threats continue to proliferate and become more costly to businesses that suffer a data breach. One reason for that is that hackers have realized it's easier to find someone who may be willing in a moment of weakness to open an attachment containing malicious content than to exploit technical vulnerabilities within computer software.
When it comes to combating these growing risks, most organizations continue to place more trust in technology-based solutions than on training their employees to be more aware of the threat landscape and able to recognize the red flags in cyber breach attempts. Organizations tend to see their employees as liabilities rather than as assets, who, when trained appropriately and incentivized, can be part of a more robust solution to many problems.
There's a right way and a wrong way to train employees in cybersecurity awareness. The wrong way approaches training as a once-a-year or semi-annual exercise in which employees are gathered in the break room with snacks and subjected to a long, or sometimes too-brief, PowerPoint presentation. This method treats employees as a passive audience and inadequately engages them. Done wrong, security training feels more like punishment than an opportunity to teach and inspire employees to be active contributors to their organization's safety and well-being.
The wrong way also reflects a one-size-fits-all organizational mindset, which fails to take into account that people have various strengths and abilities, and respond differently to a range of methods by which training material is presented.
They also have varying security awareness needs depending on their role and level of access to sensitive information within their organization. Another key flaw of the breakroom approach is that the impact of training gets measured in terms of attendance instead of content retention and behavior modification.
When it's done properly, security awareness training is parceled out in more digestable portions that expose employees to content with greater frequency and variety so it can have a deeper impact. This approach treats training more as a carrot than a stick and is interactive, making it feel more relevant and worthwhile to employees. And because it's more challenging, it engages minds and memories of workers much more effectively than when they are forced to passively sit through a presentation once a year or even at more regular intervals.
Security awareness training never occurs in a culture vacuum. So it's advisable that an organization's risk management department evaluate the organizational culture and adjust the messaging appropriately.
How to Change Organizational Culture
Changes in behavior cannot be sustained by an organization's culture without continuous reinforcement. For example, you can reduce the rate at which an employee clicks on a phishing email link to the low single digits from an initial 27% average percent level after training and repeated testing. However, if you just leave that alone and never train them again, you're going to see it creep back up for a few reasons.
The stimulus for reinforced behavioral patterns disappears once you take away the immediate feedback an employee gets when he or she successfully recognizes a simulated phishing attack. On the organizational level, the natural churn of personnel as some people leave the organization while others join it translates to a smaller percentage of employees who have been trained rigorously in security awareness.
Then there is behavioral drift over time because nothing is being done to help employees sustain new habits they have learned regarding an approach to emails they receive.
Security education is an opportunity to strengthen communications within an organization so that employees become less susceptible to social engineering attacks. Establishing clear procedures for things like suspicious emails such as reporting it immediately to the IT department, also helps rendition employee behavior.
Given the ultimate aim is to retain employees' reflexes regarding online behavior, it's imperative that managers respond to training results in a constructive, nurturing way instead of a punishing one.
Recommended Action Items
1. Be realistic about what is achievable in the short term and optimistic about the long-term payoff.
If your goal is behavior change, focus on 2 to 3 behaviors for 12 to 18 months at a time. You can't effectively train on everything.
2. Plan like a marketer and test like an attacker.
Starting with communications such as executive messages and videos, department manager messages, and security town halls, conduct phishing and social engineering testing through modules and reinforce through regular newsletters.
3. View awareness through the vision of organizational culture.
Focus on understanding the different personalities, drivers and learning styles within your organization. Complete a list of recommended tasks that are designed based on feedback in your company's staff questionnaire. This will let you personalize your approach and get the most out of your security awareness program.
4. Leverage behavior management principles to help shape good security hygiene.
Embrace best practices such as formulating goals before starting, getting the executive team involved, prioritizing and making your messages and training relevant, and testing frequently to build security reflexes.
Changing employee behavior to be less susceptible to social engineering requires a consistent and repeatable approach to security education. Security awareness training done right engages users and moves their natural reflexes from being unaware to being proactive and competent in identifying potentially hazardous social engineering tactics. Successful behavioral change starts with clear communication to employees on why security education is important that also aligns with an organization's unique culture. Rolling out a realistic security awareness training program will empower users to protect themselves and be part of the solution in fortifying an organization's last layer of security.
As a full suite IT and cybersecurity firm, Restech can help you plan and implement a security awareness program. Contact us to learn more.