With over 90% of successful cyber attacks requiring human interaction, your staff are now the number one point of entry for cybercriminals looking to harm your organization.
In most cases, cybercriminals target people, rather than systems, to gain access to their targeted infrastructure. Cybercriminals aim to exploit human error in about 99% of their attacks by luring employees into clicking on malicious content.
Cybercriminals are effectively viewing your employees as your weakest link in targeted cyber threats. In response, many organizations are engaging their managed I.T. providers to conduct thorough cybersecurity audits in order to understand the current level of risk, as well as implementing consistent staff training. Currently, the data indicates that the circumstances are far from perfect with only 28% of businesses currently running a comprehensive training program more than twice a year.
It’s becoming obvious for many businesses that awareness alone is not enough to change behaviour. So how can you create a cybersecurity culture where best practice becomes standard in your business? The best route is to keep your employees engaged at every step. Here’s How:
Be relatable
Most employees are not cybersecurity experts, so they’re unlikely to relate to jargon and dry statistics. Present the process of cybersecurity as a story, analogy, or giving employees specific examples of potentially risky behaviour.
There are plenty of real-world examples to help you out here. In recent years, you can take your pick of high-profile incidents from LinkedIn, Equifax, Twitter and many more. Tailoring specific examples to particular job roles, departments, and bad habits to plot a clear path between today’s actions and tomorrow’s consequences. The more personalized your delivery, the more users can relate, and the faster behaviour changes.
Here is an excellent analogy that we often use during our security training programs:
Cyber-security is no different from any other security – it often comes at the expense of convenience.
Take airport security for example; Travel can be stressful, and no one particularly enjoys the added inconvenience of going through security, taking your laptop out of your bag, and your shoes off, but it’s necessary for the safety of flying.
Cyber-security is no different: Multi-factor authentication, layers of email scanning, security awareness training; All of these add time and potential inconvenience to the speed of operating our businesses.
However, the inconvenience of any particular security measure becomes minor when you consider the alternative – a security or data breach can cause much larger, costlier issues affecting your entire business.
Keep things interesting
While consistent reminders might seem like a great start, we all know delivering the same message repeatedly often causes staff to zone out, become disengaged, and ultimately ignore the notifications.
We’ve seen clear evidence of this over the past year, with awareness of key phrases falling, sometimes significantly. In this year’s State of the Phish Report, just over half (53%) of users could correctly define phishing, down from 63% the previous year. Recognition also fell across common terms like malware (down 2%) and smishing (down 8%), and only 36% could correctly define the term Ransomeware.
This highlights the need to keep security awareness training fresh and engaging. It is important to deliver training and education in as many places and formats as possible. The more varied the ways your cybersecurity message is reinforced, the more likely it is to be retained.
Information fatigue
The recent decline in cyber security awareness is an area where pandemic fatigue and its impact on workers’ attention spans may be a factor. Employees may feel overwhelmed with the sheer amount of terminology they hear detailing cyberattacks and warnings of dire consequences. It wouldn’t be unreasonable to consider staff’s general mental exhaustion simply from feeling overwhelmed and confused.
In addition, the pandemic put many different pressures on organizations and some may have been forced to de-prioritize employee education programs due to lack of time, resources, revenue, or other factors. During the pandemic, a malicious attack due to human error could have been the final straw for many businesses that were already struggling to stay afloat. There is no better time to place priority on security education, training, and best practices.
Whichever the case may be, it is obvious that it is never safe to assume that your employees will consistently recognize security lingo. This is particularly true if your security awareness training and phishing simulations happen infrequently. Reinforcement is critical to knowledge and skill development; Employees must understand the terminology in order to implement it effectively.
Adjust and adapt
One of the biggest challenges we face as an Managed Service Provider is that the threat landscape is constantly evolving. So it is important that your training program does the same. Training should be relevant and current to the threats facing your organization today.
Security training should educate your staff on the motives and methods of common attacks and where they are most likely to encounter them. Most importantly, your employees must understand how they may be manipulated into an action and the potential consequences of taking the bait.
Conducting research into the most attacked people in your organization and the types of attacks they face is important so we are able to deliver training in context with their everyday processes and tasks. Having the proper information allows us to deliver simulations based on real-world examples to help your staff learn how to put their training into action when it matters most.
Make it fun
We understand that cybersecurity training may not sound like most people’s idea of fun, but there are plenty of ways to keep it positive and even enjoyable. Delivering training in short sharp models and using different approaches often keeps things fresh and engaging and brief enough to be digested easily.
Making security training competitive and turning it into a game can also aid the process. The gamification of training modules has been shown to increase engagement and motivation, as well as improving attainment scores in testing.
We want to avoid security training and education feeling like a chore. The more enjoyable we can make the experience, the less resistant your staff will be to taking part.
