Security Awareness: 5 Ways to Educate Your Employees
Security awareness training is the number one tool needed to build a culture of cybersecurity. For a business to remain secure, employees from the top levels of senior management to the most introductory level jobs need to buy into the importance of cybersecurity. Employee training sessions, however, are like those required introductory college courses. People feel they already know the information so they only half-heartedly pay attention and then wing the quizzes at the end hoping for the best, sort of like those college essays they hated writing. Unlike a college essay, security awareness has long-term financial and reputational risk implications. The 2016 IBM Cost of Data Breach Study indicated that individual breaches cost an average of $4 million and that the cost of a single lost or stolen record is $158. This means that to get employees to take security awareness seriously you need to make training a priority and that you need to make that training something they will remember.
Security Awareness Matters
Learn What Your Employees Know
Before you begin to put together a training program, you need to start with a baseline. Training programs are only effective when they advance knowledge and understanding of the topic. Many places offer online training programs that meet standardized needs. Starting with these kinds of programs is one way to get a basic sense of what employees know. Unfortunately, just like with school test, these pre-written training programs target general information that is often repeated. Employees can easily read and respond to multiple choice questions. However, for a training program to be effective, it also needs to address people’s real life reactions to situations. To effectively test your employees, you want to find ways that reach not only what they’ve memorized but how they would act in each situation. Matt East of SnapComms, a consulting firm that trains employees, notes,
The best way to pre-test employees is to run either a survey or quiz which will give you an indication of awareness that exists in the business. However, if you want to run an internal test to see how staff respond to threats, (such as a simulated phishing attack) running something like a simulated phishing attack can have a strong impact – and you’ll find out quickly how vulnerable your company is.
When running the attack you can keep staff up to date with the situation using Alerts or scrolling ticker headlines. This approach can have a particularly strong impact if the phishing attack is a test run by the internal team and can be used to “name and shame” those who are caught out on screensavers and in the company newsletter. (Especially if it is done in a fun way and backed up with information on how to spot phishing attacks).
When running a pre-test like this, you not only see where vulnerabilities lie, but you also engage your employees in new ways that make security more realistic.
Treat Security Awareness Training as a Training
Once you have a baseline of employee knowledge, you want to target the areas where your organization needs information security strengthening. Moving beyond online training webinars and quizzes means creating content focused for your organization’s needs. To do this, you need to think about what makes employee training effective. One of the best ways to engage employees is to keep the training concise and focused. Several one-hour, targeted trainings are more effective than one single five-hour training, and even shorter sessions are possible. SANS Securing the Human training uses 5-7 minute modules with a few multiple-choice questions at the end. Users can take their assigned modules at their own pace, and the shorter, more focused modules (e.g. Phishing, Social Media Use) make more of an impact than covering the gamut of security awareness topics in an hour-long training. If you determine your organization’s employees need to review passwords and phishing, instead of combining them into one session where the issues may end up confused, split it into two sessions. Although people may grumble about having to do multiple trainings, the training is ineffective if they do not retain the information.
Make the Training Interactive
Everyone hates lectures. With smartwatches that have games, gone are the days of needing a laptop with Mahjongg installed to ignore that boring speaker in front of the room. Most of the ways to enhance memory and information retention involve active processes on the part of the learner. When employees sit in a training with nothing but lecture and presentation slides, they are less likely to retain the information. This means that the information should be presented in interactive ways. Although this is time intensive, the investment is worth it for something this important.
Continue the Training Throughout the Year
Engaging employees in security awareness means more than once a year training. Security needs to become a habit about which people no longer think but do reflexively. This means that ongoing training is particularly important. Matthew Pascucci of Frontline Sentinel proposes the gamification of the ongoing training. When asked about competitions to engage employees, he shares,
I’ve created competitions, normally during the holidays, to get people engaged in with security awareness. Most of the times this was during Christmas or another holiday that deemed it worthy of attackers sending users phishing emails. With these competitions, I would have a weekly email sent out (one was a real phishing email that was sent to us, one was from Websense with videos, etc) that were progressively harder. They had to pick out what was wrong with the email to help identify phishing and send the security awareness group the proper answers. At that point, they were entered into the drawing for a prize. We randomly pulled the winners at the end of the day and the grand winner won an iPad, etc.
For physical security, I set up a cube with all the things that you weren’t supposed to do (E.G left the computer on, desk drawers open, confidential data on the screen, printouts on the wall of Visio’s, etc. People would have to walk up to the cube and decide what was wrong and send their responses to the awareness team again.
I also wrote a monthly newsletter on cyber security that was sent out to the company. The topics toggled from corporate to personal every other month to keep the users interested. We actually had people bring them home and review them with their kids. I put a lot of humor in here, some which HR took out (LOL), but people were always interested in reading them because of the topics and “edge” that we gave them. After they were sent out I’d give a Webex open to the company with a PowerPoint of the newsletters topics to ask any questions.
People’s naturally competitive natures means that they will not only be engaged, they will be educated in a way that leads to permanent behavioral changes. In addition, sending out awareness reminders tied to specific attacks to which an organization has recently been exposed. For example, if an organization has recently been subjected to ransomware attacks, provide tips to spot these types of attacks. Then add these types of attacks to your ongoing gamification of security training.
Create a Culture
Ongoing security awareness training matters because it helps create a corporate culture of awareness. Good security practices need to become second nature or just plain old good habits. Employees, regardless of their level in the organization, come in with the habits that they practice at home. In a lot of ways, CISOs must help retrain the brain of everyone in the organization. To do this, CISOs need to have the C-suite on board. When thinking about corporate culture, executives traditionally focus on corporate values.
For CISOs, the difficulty comes from helping those same executives incorporate security awareness as part of the ideal of being a responsible employee. In his Forbes article, “How to Build a Great Company Culture,” Todd McKinnon of Okta explains the six best ways to accomplish that goal. He explains that to build a corporate culture the executive leadership needs to assign an owner, set the tone, create an organizational structure that drives it, hold offsite trainings, prioritize and focus, and communicate. Many of these same strategies apply to setting a corporate culture of security awareness as well. For example, even though CISOs are often in charge of security awareness training, there may be overlap between individual managers, human resources, and information technology departments regarding who, when, and how to hold these.
Ensuring that a single individual is responsible and that the responsibility is appropriately assigned within a company gives employees a sense of where within the organizational structure their behavior fits. In the same way, it’s important to create an organizational structure that shows employees, from c-suite down, everyone’s responsibility within the security awareness realm. These clear lines of responsibility can help communicate between the different authority levels of the organization. The CISO might oversee ensuring ongoing training, but it is also the CEO’s responsibility to engage in those trainings as a role model to other employees.
This kind of integration creates an overall philosophy that supports awareness and shows the company’s priorities and focus on security awareness. In the same way, those ongoing short trainings act as continual reminders that help focus employees and remind them of the importance of security in all parts of their work lives. Finally, continually training, even on a micro-level, communicates the ever-present importance of security awareness as part of daily routine. To build a culture of security awareness, employees need to see it as integral to their own daily work lives and act responsibly of their own accord without even thinking.
Experts agree that the best way to protect an organization from security threats is to create a culture of awareness. Creating a culture means that all employees are not only aware of risks but care about spotting them. Employees may not see the value in security awareness when faced with abstract, large numbers on a document. When they see the way that security creeps into their daily actions, they are more likely to take notice of how they may be accidentally complicit in making a workplace vulnerable. With the right approach and the right strategies, you can get everyone to see security not only as important but as second nature.