With the necessity of remote work creating a deluge of additional cybersecurity risks in this COVID-era, and the financial and reputational consequences of experiencing a security incident at an all-time high, businesses are under enormous pressure to constantly and proactively protect their assets.
Untargeted security awareness may do more harm than good.
Security awareness can help businesses bolster their cybersecurity efforts and, as an added benefit, it can ensure compliance and adherence to best practices such as NIST, ISO 27001 and PCI-DSS. Historically, security awareness has largely involved implementing basic cybersecurity training, online learning modules and simulated phishing exercises. It can help employees learn to avoid clicking on common phishing scams, recognize that they have a role to play in enforcing cybersecurity and become more familiar with the nature of threats such as phishing.
Still, many cybersecurity awareness initiatives fall flat, as general awareness and phishing simulations can’t guarantee action. Equally detrimental to security awareness success is a lack of targeting. When training isn’t sufficiently personalized, employees fail to engage - or worse, they choose to ignore training campaigns and operate under the misguided assumption that they’d never fall victim to a security incident or because they see the training as a waste of valuable time.
By relying on untargeted, lengthy, and vague exercises that aren’t aligned with real-world or relevant situations, businesses risk having their security awareness efforts do more harm than good.
Best practices for next-generation training
To optimize cybersecurity training and build security awareness campaigns that are more relevant to today’s risk landscape, businesses should abide by the following best practices:
- Distribute personalized content based on employees’ individual risk profiles, roles and awareness needs. Thanks to technological advancement, it’s relatively straightforward to hook into existing security and IT tools to better understand employees’ specific risk profiles. Security and IT tools also indicate when the last security incident occurred, which allows trainings to be appropriately timed. HR systems and Active Directories can determine each employee’s role, and employee surveys can confirm the awareness needs of each employee. By leveraging all of this data cumulatively, businesses can design highly personalized training and awareness campaigns that meet the unique needs of their organization.
- Stop focusing solely on phishing. While common in security awareness and training initiatives, phishing simulation is a limited tool. What’s more, the world is moving away from email to other cloud-based tools. Businesses are better off combining any/all human actions that could lead to security incidents (e.g. actions taken on social media and other cloud-based tools) and teaching their employees the right behaviors across a variety of form factors. By using data collected via email, online, cloud security tools, and cloud productivity platforms, businesses can engage employees more holistically and effectively, as opposed to relying on antiquated phishing simulations that are often ignored.
- Prioritize the tracking of key metrics. The specific metrics worth tracking in a training initiative depend on the organization, but some may find measuring at least 30 different metrics necessary. After all, it’s critical to be able to objectively delineate what tactics are working and, if those tactics aren’t working, leverage that information to immediately course correct. Integrating all measurements with other cybersecurity tools currently in use will make the tracking of key metrics even more productive.
Applying behavioral modeling to cybersecurity can facilitate positive change.
Equally important when establishing next-generation security training and awareness is taking into account behavior modeling, and applying it to cybersecurity to facilitate individual changes in employees’ behavior. Based on Stanford scientist B.J. Fogg’s research, the necessary elements of an individual behavior model can be divided into three principal categories:
- Motivation: According to Fogg, the three-core human motivational elements are pleasure/pain, hope/fear, and acceptance/rejection. In a business setting, executive communications and their actions set the ground rules, which helps create a like-minded community based on core corporate values. Defining specific cybersecurity policies is a crucial step in setting up the expectation of the desired behavior.
- Ability: Giving employees the right awareness and tools to help them perform their day-to-day tasks with ease is paramount. Furthermore, awareness education, development of skills to deal with adversaries, and security protection technologies with the right policies will empower employees to protect their organization from threats.
- Nudge: Even if employees possess the necessary motivation, ability, and skill, they still require constant reminders to apply their knowledge at the right moment until habits are formed. Continual communication and action from management will not only help motivate employees, it will also help remind employees of the organization’s corporate values and guidelines.
Combating cyber risk requires prioritizing employee education and engagement.
Ultimately, any successful cybersecurity strategy must incorporate personalization. When applied to security training and awareness, personalization emulates the effects of stop signs and lane assist technology: It forces employees (or drivers) -- all of whom work (or drive) differently and assume accidents could never happen to them -- to stop when required or proactively avoid accidents. By reducing the number of accidents that occur, personalization enables cybersecurity personnel to spend less time investigating incidents and repairing any damage, which lowers organizational costs and saves time for employees, too.
Combating cyber risk is an undoubtedly complex task, and there’s certainly no silver bullet to solve the slew of ever-changing security issues. However, by recognizing that human actions cause over 90% of security incidents, businesses have an opportunity to adjust their cybersecurity strategies and prioritize the most crucial element of any organization: the employees.
Fortifying security training and awareness with targeted personalization and behavior modeling will better equip employees to reduce businesses’ risk levels, while also serving as a key pillar of an organization’s cybersecurity posture. And in the ever-challenging COVID-19 era, personalization and behavior modeling allow existing budgets to be used to achieve stronger security outcomes with measurable ROI.