In today’s digital age, one employee error can open the floodgates for bad actors to exploit vulnerabilities and impact an organization’s cybersecurity and core operations. Conducting a quick internet search to find an outside vendor or simply leaving the job up to the internal information technology (IT) department is not enough to cover all the bases in the increasingly complex world of security.
Widespread data reveals that employees are the leading cause of cyberattacks, with human error causing 9 out of 10 breaches and the average cost of those breaches doubling yearly from 2020 to date. The real blame, though, actually falls on current cybersecurity awareness programs. These programs are often not conducted at the right pace or by well-informed instructors. It is imperative that organizations generate buy-in from executives for strong cybersecurity awareness and training programs that reach all employees.
Some cybersecurity awareness programs are difficult to sit through and rarely reflect the nuances of the responsibilities of each employee. If done properly, a security awareness program that instills a level of personal ownership and responsibility can make the employee the most important part of cybersecurity.
The following are four tips to ensure that a cybersecurity awareness program is both engaging and effective.
In-house or third-party training
Before creating a program, consider whether the security team will have the resources to derive the same valuable threat intelligence as a potential vendor.
There are a handful of questions organizations should ask before making this decision:
- How big is the security team?
- Does it have adequate time, capability and budget?
- Should consultation with a security advisor be considered?
If the team is well-resourced enough to leverage their experience to develop and deploy a strong program, then in-house training may be a viable option — but with that decision comes a host of additional considerations to maximize efficacy.
If it is more reasonable to rely on a vendor, find a provider equipped to respond to the specific needs of the organization’s attack surface, as this can be highly variable from industry to industry and from company to company.
Then, on a more tactical note, consider if this contract will be a one-off engagement or run for an extended period, and if the vendor is needed to supply a complete program or if a limited contract might suffice.
Personalize the security awareness program
Employees are more likely to absorb a lesson if it directly relates to their daily work. Organizations must ensure that, to whatever extent possible, they make their program relevant and ensure that the information is personalized and timely to what may be seen or experienced by employees at work. If using a vendor, evaluate whether that vendor can provide real-life examples and threat intelligence to add color to the training so employees can relate to it and understand its value.
Remember that easy learning is easy forgetting. Employees should be exposed to a considerable range of potential threats in their training so they can be better prepared to handle a variety of highly complex attack vectors in real life. Organizations should also practice retrieval of this learning — this threat exposure should not just be a part of onboarding, but rather a continuous effort of regular refresher trainings.
Ensure leadership support
Employees model the behaviors practiced by their leaders. If executives do not consider security a business priority, they can be assured that their employees will not either.
Leadership can see to it that their program is especially worthwhile and effective by exposing new hires to an organization’s training program within a month (at most) of that person joining the team. If leadership wants an effective program, they need to ‘walk the talk’ and, if possible, reinforce cybersecurity messaging like any other relevant topic in their meetings. Annual general security refreshers, quarterly phishing campaigns and regular automated threat testing will send the message that leaders are invested in their team’s security awareness.
Staggering training and reviews is paramount to avoiding the cognitive overload of employees — modules should last about 10-15 minutes and be interactive. Taking special care in setting the timeline of a cybersecurity awareness program will maximize efficiency while avoiding employee mental strain. In addition, messaging should take diversity and inclusion into account where possible.
Use a reward system to incentivize employees
Organizations should lead with positive reinforcement to incentivize the program by including honorable mentions, naming security champions of the month, or designating more physical rewards like merchandise. Management should also develop metrics to measure the success of the program for visibility and accountability purposes.
Organizations that can find the right balance of monitoring, threat detection and user awareness will see the most success protecting their people and systems against the ever-evolving world of cyber threats.