Humans are often seen as the first line of defense in the cyber security posture of organizations today. By offering security awareness training programs, businesses can educate their employees about a range of growing cyber security risks and what to do if they notice one.
With cybercriminals increasingly targeting businesses and their employees, security awareness training is more important than ever. But despite this, users often pay little attention to cyber training and end up putting their organization’s security at risk as a consequence. So, how can security teams get employees to take training seriously?
Developing a security culture
According to Immersive Labs application security lead Sean Wright, getting staff to understand the importance of security training for themselves and the entire organization is a major challenge currently faced by employers.
“Security training is a tough one to tackle. It often already has a negative connotation associated with it – those pesky security people again – so trying to convince employees that this training is important not just for the organization, but also helpful for themselves, is a challenge,” says Wright.
He argues that a culture shift is needed to solve this problem. “How we get employees to start taking training seriously is a culture shift, in that security culture is developed within the organization. This will help employees get on board with security-related efforts such as training,” he adds.
To develop a security culture and ensure all employees take cyber awareness training seriously, Wright believes many issues must be addressed first. “Remove the ‘no’ stigma. We need to change the perception that we are a roadblock and that, equally, security is a roadblock,” he says.
“We need to focus and highlight the positives of dealing with security correctly, such as better reputations with customers, less chance of a breach and loss of customers, for example.
“They need to understand why they need to do something and have it explained to them in terms and language which they understand – remove as much of the technical jargon as possible.”
Wright says that organizations must also change the mindset that “security is not my problem” and make it clear that every employee must play their part in improving security across the organization. “Help employees understand that they all have a role to play, explaining why and what the risks are if they don’t,” he says.
Employers should also allocate appropriate time for employees to carry out their security training and ensure it isn’t crammed in one go, says Wright. “They will likely just want to rush through it rather than absorb the information from it. Make sure that you get feedback, find out the things which they don’t like, but also importantly what they like,” he adds.
“Try to implement changes which help to address some of the negative feedback or suggestions made. It shows employees also have a voice in the matter and will help drive it to better suit their needs. It also helps with their relationship with the security team, avoiding that ‘no’ mantra and perception.”
Another motivation for employees to participate in security training is that it’ll look good on their resume. Wright adds: “Another positive spin is – especially if they use online services – they could possibly include this on their CVs, so this is as much a benefit to themselves. They also can increase their own security knowledge and awareness for their personal lives. To me, this is a great added advantage.”
Transforming security training
According to ESET security specialist Jake Moore, security training has long been seen as irritating by companies and their employees. “It continues to cause friction between departments with aim often taken at HR for orchestrating it. Making training compulsory is, unfortunately, a necessary evil,” he says.
But he says security training can be precious and save money for the company in the long run if it’s delivered well. “Being innovative or creative can be tricky in an often mundane subject, but it can be offered in colorful ways that don’t impact on people’s daily routine,” he says.
“Making it interesting can help with attentiveness to standard attacks such as phishing emails and can help people to slow down and question social engineering techniques often used by threat actors when attempting to gain information or even entry.”
Moore warns that forcing tests to chastise those with poor scores can hurt staff and be avoided at all costs. Instead, organizations should reward employees for succeeding in their security training.
“Incentives or prizes for winning scores can help make staff read through modules and raise awareness, which in turn helps create a strong awareness and savvy culture,” he says. “The key, however, is to make training modules short, interesting and effective, peppered with real-life stories which will help raise the understanding behind the education.”
A security awareness program should be an ongoing effort, not a one-off event, says UK Cyber Security Association CEO and founder Lisa Ventura. “Rolling out the same training to your end-users year after year is ineffective. Constantly reviewing and updating your cyber security awareness training program is the key to it being successful,” she adds.
According to Ventura, another good idea is to add security training to the onboarding process so that new employees are aware of different cyber risks and how to respond to them. “This will help to create a security-conscious culture from the start, and making the training mandatory rather than optional is crucial,” she adds.
Ventura believes that the most successful security awareness programs are personal. “Hackers don’t just attack organizations; they target individuals and often use email, social media, and other methods to hack into corporate systems. Employees will be more likely to engage with it if they can see how much it will affect their lives both from a personal and work or corporate perspective,” she says.
Security training is paramount.
With cyber risks increasing rapidly, security training is fundamental in every company and organization. Josh Douglas, vice-president of product at Mimecast, says: “The threats that organizations face are growing in number significantly, making cyber security awareness training more important than ever.
“Remote working, in particular, has created many challenges, with employers losing visibility into employee behavior, creating added risk. This is a massive concern, with Mimecast research finding that 70% of IT leaders believe bad employee behaviors, such as poor password hygiene, put companies at risk. This problem can be tackled head-on with cyber awareness training.”
His view is that business leaders should ensure security training programs empower employees to protect their organization. “Organisations can drive this empowerment through a solid program that is more engaging, uses humor, and keeps points concise,” he says.
“To drive that empowerment further, feedback should always be captured from employees and utilized to cater the training best to their needs,” says Douglas.
Mimecast’s own analysis suggests that employees who receive regular awareness training are 5.2 times less likely to click on risky links than those without, while the firm’s recent State of email security report shows only 19% of organizations currently provide ongoing cyber awareness training.
The only way businesses can educate employees about security risks and their role in protecting the entire organization is by providing regular cyber awareness training, says Douglas.
“As remote working becomes the new norm, the knowledge such training provides will be crucial in building the resilience of organizations and ensuring employees can successfully work from home for the long term,” he adds.
Making security training fun
Laurence Pitt, the global security strategist at Juniper Networks, says security training is often dull, corporate, and unrewarding. “Employees may find ways to give the minimum attention possible – watching videos at double speed, multitasking and guessing answers, or hoping the mandate will go away if ignored,” he says.
He argues that something must change and that the answer lies in gamification. “Create custom activities that give a different experience based on responses to questions. Several different routes through an exercise make it more fun. Limit any single security game to 10 minutes – something that fits into a coffee break,” says Pitt.
“Make the training fun. Humans learn better from positive rewards than negative experiences. An additional benefit is that people share something they enjoy and may pass on awareness tips to colleagues, family, and friends.
“Give virtual badges for completion of training, perhaps create a scorecard based on how quickly employees complete their training once assigned. Avoid rewarding right answers or time to complete the task.”
Pitt says combining these ideas could create a fun and rewarding employee experience from security awareness training. “This will require investment, but organizations such as The Infosec Institute have already started to gamify training ideas and may be able to assist,” he adds.
“Investment insecurity will not be a cheap exercise but will undoubtedly be more affordable than the damage caused by a ransomware attack or accidental data breach. Making training an activity that employees want, rather than have to complete, can only be positive in helping to strengthen your security posture.”
Nowadays, businesses face a range of different cyber security risks, and the rise of remote working in the past year has only exacerbated them. Clearly, the most effective way to mitigate corporate cyber security risks is by making staff aware of them through training. But unless such activity is engaging and interesting, many employees will continue to pay no attention to it and will subsequently fall victim to cyber-attacks.