Companies today are facing cyber threats that are constantly increasing in volume, severity and sophistication. Recently, Mailchimp, Riot Games and LastPass all found themselves on the wrong ends of data breaches. These repeated security lapses beg the question: How effective is modern cybersecurity training, and what should organizations do to future-proof it?
Security awareness training in enterprises has come a long way since employees were forced to listen to quarterly two-hour lectures about phishing. Despite advances in training methods, the evidence tells us that companies must use better tactics to ensure employees eliminate mistakes when interacting online.
Let’s take a look at how enterprises can future-proof their approach towards cybersecurity awareness training.
Educate
Cybersecurity training and the messaging around it can often seem threatening to employees. For instance, a company might list the potential ramifications of a data breach, such as brand image loss, system downtime or loss of revenue, and leave employees in fear of clicking the wrong link.
These fear-based methods do not change employee behavior, since they aren't learning anything. They're merely tiptoeing, trying their best to not bring the company down. The result is a level of cybersecurity knowhow that is less developed and cannot cope with modern malicious tactics.
Companies must instead acknowledge the difficulty in spotting malicious tactics and offer as many educational resources to employees as possible. For instance, educating employees about the anatomy of a personal data breach is a good way to emphasize the serious nature of a company data breach.
Offering resources that help employees check whether they have personally suffered from cybercrime builds empathy, leading to more engagement in training. Talking about important incidents (whether internal or external) and highlighting possible steps to mitigate those risks will help companies build a culture of cybersecurity.
Emphasize the ‘why’
In an age where brand trust is a type of currency, cybersecurity readiness has become a differentiating attribute for many enterprises. While executives and customer-facing employees understand this fact, many internally-facing employees do not. To them, cybersecurity is something that simply exists, much like accounting or sales exists. It's someone else's responsibility and is full of technical jargon they do not understand.
Shifting an employee's mindset from this to assuming responsibility for cybersecurity, no matter their technical skill, is essential to boosting training programs. After all, even the best training module will fail to impact an employee who believes the material has nothing to do with them.
One way of explaining the importance of cybersecurity is by quantifying the impact of data breaches. Numbers, charts, and images convey the consequences of such incidents. As noted above, it’s important to remember that the aim isn't to scare employees into accepting cybersecurity. Instead, companies can highlight positive stats, such as how much money an employee will contribute to the bottom line by following basic cybersecurity principles.
And if framed as part of an action plan, demonstrating the after-effects of negligent security practices, using a gamified training platform, is also a good way to drive home the "why" behind cybersecurity.
Simulate threats
People learn by doing. Companies can trot out as many experts as they like in seminars, but until employees get their hands dirty working through an incident, information is unlikely to stick. Simulations have come a long way over the past decade and currently help companies create realistic environments that simulate breaches.
A basic simulation could walk the user through an incident and demonstrate the negative effects of a breach. A full-blown simulation can have employees deal with threats interactively while rewarding them for good performance.
The data from these platforms can be used to create customized learning paths. The result is a workforce that receives tailored security training, instead of a one-size-fits-all program that leaves many unengaged.
Companies can use simulations to train their technical personnel too. Penetration tests and red hat testing give security teams the training they need to simulate threats and prepare them for real-world incidents.
Hit the right frequency
Deliver training lessons far apart, and employees will forget what they learned. Deliver them too close together, and everything becomes a whirlwind of facts that employees soon forget as they lament being taken away from their core responsibilities for yet another training. There is no single great training frequency.
Much depends on an individual's ability to retain information and employ it. The key to hitting the right frequency is measuring training data and noting the progress each person makes on the training platform. For instance, if an employee is having issues with certain tasks, delivering those tasks repeatedly to enforce repetition is a good idea.
Currently, cybersecurity training assumes every employee has a similar technical background and ability to retain information. While trainers know this isn't true, they have no choice due to limited training windows and the formats used to deliver information.
Gathering feedback from employees regarding training frequency is also a good way to figure out the right frequency when delivering training programs.
Measure the right KPIs
Many companies lack a way of measuring the effectiveness of their training programs. This is because of the way most training is delivered. Group seminars and presentations do not give trainers enough feedback to measure effectiveness.
Even the enterprises that use electronic platforms to deliver training often end up measuring the wrong KPIs, such as the percentage of lessons completed or time spent on the platform. Instead, companies must measure KPIs that quantify the behavior change effectiveness of their programs.
For instance, instead of measuring the number of tasks successfully completed, measuring in-task actions such as methods used or decisions made will let trainers know how employees are behaving under stressful situations.
Rethinking KPIs will help companies understand how their employees are reacting to training and how prepared they are to deal with a real-world situation.
Effective security training is critical
Security training is critical to preventing cybercrime. The current state of security training leaves a lot to be desired, and companies have a lot of room to improve. Rethinking training formats and measuring the right KPIs will help companies design training programs that impact employees and prevent security incidents.
