Consider Security Training as Security Marketing
As over 90% of security incidents are connected to human error, many companies are initiating security training to counter the risks to business.
However, that exceedingly high figure would make you reconsider what’s happening with the security training. The problem can be that the content is boring, mandatory and a one case fits all does not mitigate the risks.
Making end users aware of cyberthreats has great potential for the business and therefore, security awareness training should be part of a layered defence strategy.
According to a study authored by cybersecurity executive Calvin Nobles titled “Shifting the Human Factors Paradigm in Cybersecurity, Nobles found that while organisations are investing heavily in security technology, they are still lagging behind when it comes to security training initiatives.
Lisa Plaggemier, security evangelist at InfoSec Institute, feels similar, stating that employees may well be aware of the cyber risks but do not necessarily change their behaviour. She states that employees openly violate security policies. They log in using unsecured public networks, use work devices for personal transactions, download unapproved software, share passwords and unknowingly open malicious attachments from phishing attacks.
She believes this should be more a case of not whether companies train, but actually how they engage their employees and empower them to feel a sense of ownership of the company’s security.
Nobles also found that the culture of the company plays a significant role. A culture that is employee-focused and team-oriented, with open communication and a positive work atmosphere, is more likely to have employees who feel both empowered and valued. In turn, they value the company.
One of the greatest challenges to the success of cybersecurity is to create a change in the culture rather than just training the staff. To change the culture of a company, its employees need to buy in, and that buy-in must come from the top down. Fortunately, cybersecurity is moving from being a mysterious, frightening, negative aspect of a business and is now receiving ongoing investment, rather just being an option.
Plaggemier suggests that awareness campaigns should look more like marketing campaigns. Most current training is one size fits all and can be disengaging, mandatory, hard line messages. However, a tailored approach, to the right person at the right time, can be engaging & funny and can spark interest. Employees are then more likely to get on board with the security culture and are much more likely to learn. If employees are fully engaged, they are more likely to feel they have a responsibility for the business and therefore more likely to take action.
It is important to offer a clear message as to why security matters and put it on a level with other messages that your employees view throughout the day.
One off training exercises also lack any tracking. Tracking facilities enable you to see whether people are actually learning and changing their behaviour. It’s not about who has had the training, but who has learnt and is also engaged for the future.
Need assistance to implement a fully integrated security training campaign?