The Last Layer Of Security-Your Employees

By:  |  Category: Blog, Security Wednesday, July 11th, 2018  |  No Comments

Cyber security threats continue to increase rapidly in numbers and are taking a financial toll on the unfortunate businesses that suffer a data breach. Lately, hackers have turned away from attacking systems head-on, instead they’ve realized it’s much easier to find someone who in a moment of weakness accidentally opens an attachment containing malicious content.

When it comes to battling these growing risks, most organizations continue to trust in technology-based solutions rather than on training their employees to be vigilant against the threat landscape and confidant in recognizing the red flags in cyber breach attempts. And while both are important, a multi-layered approach is always your best defense.

Sadly, many organizations perceive their employees as liabilities rather than as assets, who, when trained appropriately and incentivized, can be part of a solution to many problems.

There’s a right way and a wrong way to train employees in cyber security awareness. The wrong way approaches training as a once-a-year or semi-annual exercise in which employees are gathered in the break room with snacks and subjected to a long, or sometimes too-brief, PowerPoint presentation. This method treats employees as a passive audience and inadequately engages them. Done wrong, security training feels more like punishment than an opportunity to teach and inspire employees to be active contributors to their organization’s safety and well-being.

The wrong way also reflects a one-size-fits-all organizational mindset, which overlooks the fact that people have differing strengths and abilities, and respond differently to a range of methods by which training material is presented. They also have varying security awareness needs depending on their role and level of access to sensitive information within their organization. Another flaw of the breakroom approach is that the impact of training gets measured in terms of attendance instead of content retention and behavior modification.

A 2016 study of the effectiveness of security awareness training by Enterprise Management Associates, a leading IT industry analyst, reported that nearly 60% of the companies that provide such training were using less effective methods such as the breakroom approach (23%) and the monthly security video approach (36%). As a result, organizations tend to be disappointed by statistically low levels of improvement in behavior. That is likely to cause senior executives to dismiss the whole field of security awareness training rather than question the methods by which it is delivered.

When it’s done right, security awareness training is divided into more digestible components that expose employees to content with greater frequency and variety so it can have a deeper impact. This approach more comprehensive, interactive and role-based, making it feel more relevant and worthwhile to employees. And because it’s more challenging, it engages the minds and memories of workers much more effectively than when they are forced to passively sit through a presentation once a year or even at more regular intervals.

Security awareness training never occurs in a cultural vacuum. So it’s smart to evaluate the organizational culture and adjust the messaging appropriately. For example, an authoritarian corporate environment in which employees are expected to simply follow instructions without questioning how a task fits into a broader context is likely to require more effort to modify an employee’s behavior or default responses to things like phishing emails than a culture that promotes cooperation and critical thinking and recognizes the value of getting managerial and staff buy-in for new initiatives.

Recommended Action Items

  • Be realistic about what is achievable in the short term and optimistic about the long-term payoff. If your goal is behavior change, focus on 2 to 3 behaviors for 12 to 18 months at a time. You can’t effectively train on everything.
  • Plan like a marketer, and test like an attacker. Starting with communications such as executive messages and videos, department manager messages and security town halls, conduct phishing and social engineering testing through LMS modules, and reinforce through regular newsletters and digital signage.
  •  View Awareness through the vision of organizational culture. Focus on understanding the different personalities, drivers and learning styles within your organization. Complete a list of recommended tasks that are designed based on feedback in your company’s staff questionnaire. This will let you personalize your approach and get the most out of your Security Awareness Program. Tasks may include engaging your organization’s stakeholders, creating and completing a baseline phishing campaign, communicating the Security Awareness Program to your employees, reviewing and selecting a primary training module, and creating training campaigns for your quarterly training modules.
  • Leverage behavior management principles to help shape good security hygiene.
  • Embrace best practices such as (a) formulating goals before starting, (b) getting the executive team involved, (c) prioritizing and making your messages and training relevant, (d) phishing frequently, at a minimum of once a month and (e) testing frequently to build security reflexes.
  • Have a vision of what “good” looks like for your organization. Build a network of “security champions” inclusive of all roles and geographic regions across the enterprise. Present to candidates the role of a champion as a developmental opportunity and integrate it into performance and career development plans.

If your business is interested in cybersecurity based awareness training give us a call at 714-970-9330 or contact us at [email protected]

Leave a Comment
Read previous post:
The Hype and Reality of AI

Everyone is talking about the implications of AI (Artificial Intelligence). How will it impact the workplace? What are the ethics...