Effective corporate cybersecurity assumes that people — your employees — do the right thing. That they don’t hand over their passwords to a caller who claims to be from the IT department doing a “credentials audit.” That they don’t wire $10 million to an Indonesian bank account after receiving a midnight request from “the CEO”.
That they don’t install an “urgent update” to Flash Player based on a pop-up on a porn site. That they don’t overshare on social media. That they don’t store company information on file-sharing services outside the firewall. That they don’t connect to unsecure WiFi networks. And they don’t click on links in phishing emails.
Our research shows that 75+% of security incidents are caused or aided by employee errors.
Sure, you’ve installed endpoint security, email filters, and anti-malware solutions. Those precautions will probably be for nothing, though, if your employees do the wrong thing time and again when in a dangerous situation. Our cybersecurity efforts are like having a fancy car alarm: If you don’t teach your teenager to lock the car when it’s at the mall, the alarm is worthless.
Security awareness isn’t enough, of course. Employees will make mistakes, and there are some attacks that don’t require an employee misstep. That’s why you need endpoint security, email filters, anti-malware, etc. But let’s talk about effective security awareness training.
Why Training Often Fails to Have an Impact
First – in my experience, a lot of employee training, well, sucks. That’s especially true of online training, which is generally terrible. But in most cases, whether live or canned, the training lacks credibility, in part because many IT professionals are poor and unconvincing communicators. The training often focuses on communicating and enforcing rules – not changing risky behavior and habits. And it’s like getting mandatory photocopier training: There’s nothing in it for the employees, so they don’t buy into it.
It’s not about enforcing rules. While security awareness training might be “owned” by different departments, such as IT, CISO, or HR, there’s often a lack of knowledge about what a secure awareness program is. First of all, it’s not a checkbox; it has to be ongoing. The training must be given in different ways and times, with a combination of live training, newsletters, small-group conversations, lunch-and-learns, and yes, even online resources.
Protecting yourself is not complicated!
But a big problem is the lack of goals or objectives. If you don’t know what you’re trying to do, you can’t see if you’ve done a good job in the training — and if risky behaviors actually change.
Here are some sample goals that can lead to effective security awareness training:
- Provide employees with the tools to recognize and handle ongoing daily security threats they might receive online and via email.
- Let employees know they are part of the team, and they can’t just count on the IT/CISO teams to handle security.
- Stop the cycle of “unintended ignorance” about safe computing practices.
- Change mindsets toward more secure practices: “If you see something, say something”.
- Review of company rules and procedures, which are explained in actionable ways that are relevant to them.
Make it Relevant
No matter who “owns” the program, it’s essential that there is visible executive support and management buy-in. If the execs don’t care, the employees won’t either. Effective training won’t talk about tech buzzwords; instead, it will focus on changing behaviors. Relate cybersecurity awareness to your employees’ personal life. (And while you’re at it, teach them how to keep themselves, their family, and their home safe. Odds are they don’t know and are reluctant to ask.)
Here’s a good place to start, teach your employees how to deal with the theft of their personally identifiable information. Read this blog “The Equifax Security Breach – 5 Recommendations to Protect Yourself!” by Michael Levin from The Center for Information Security Awareness (cfisa.org).
Or if you’re worried about ransomware, start with this webinar by Michael Levin and Ziften’s Dr. Al Hartman addressing “Tips on Addressing Security Awareness and Ransomware Protection”.
To make security awareness training truly relevant, solicit employee ideas and encourage feedback. Measure success – such as, did the number of external links clicked by employees go down? How about calls to tech support stemming from security violations? Make the training timely and real-world by including recent scams in the news; sadly, there are so many to choose from.
In short: Security awareness training isn’t fun, and it’s not a silver bullet. However, it is essential for ensuring that risky employee behaviors don’t undermine your IT/CISO efforts to secure your network, devices, applications, and data. Make sure that you continually train your employees, and that the training is effective.