Properly equipping employees is an essential part of any information security program, and with the rising costs of data breaches it has become even more so. According to IBM Security research, the average total cost of a data breach is now $3.86 million dollars, and that number is rising by an average of 6.4% every year. Human error accounts for 27% of breaches, with another 48% coming from malicious or criminal attacks–such as phishing attacks or malicious insider employees.¹ With employees’ being affected by 75% of attacks, it has become paramount to the security of an organization to have a well-trained workforce. But what does that mean? How can organizations train their employees in a way that best equips them to protect the organization from malicious attacks, whether internal or external?
First of all, employees in every business unit should be required to take training, including your executive teams and IT. If certain groups are exempt, or if you assume they will always remember to implement what they already know, you miss the opportunity to foster an environment of awareness, and may be setting yourself up for a dangerous breach. It is worthwhile, however, to consider providing specialized training for each group to ensure content is relevant. If you take a one size fits all approach to training, you are going to lose people right at the outset. It is widely accepted that children in schools learn differently and have varying levels of mastery, but many seem forget this completely when it comes to corporate training. So the first and most important principal is to tailor your learning experiences not only to your organization, but to your people.
Beyond making sure everyone receives regular, customized training, there are a few key things that organizations should consider when developing security awareness training (SAT) programs. The first concept is a term called people patching that was coined by security training professionals at EdgePoint Learning². You can think of people patching the same way that you would think of patching servers. It is very common for organizations to conduct a single 45-minute to 1-hour awareness training, and possibly conduct one or two phishing exercises, then move on, but when you think about patching in terms of servers, you can see how absurd it would be to only update a server once a year. In the same way, we have discovered that repeated, engaging training over the course of a calendar year is the most effective way to properly train employees. According to the InfoSec Institute, proper security training can reduce the likelihood of compromise via phishing campaigns by up to 75%.³
Just performing security awareness training several times a year isn’t enough either, though. So how can you supplement? There are many creative ways to do this, starting with the traditional avenues, like in-person training presentations, interactive online training, games like those provided by KnowBe4, and videos or webinars put on by industry professionals. While these training methods can be very informative, and we recommend some use of them, simply inundating your employees with constant 5 to 10-minute training videos is not engaging, and may result in less effective awareness training. TRUE recommends adding a few instances of interactive training spread out in-between the more typical training methods. To support our clients’ efforts, TRUE has developed a number of creative, interactive training methods for our clients. One such example that has been very well received is interactive cybersecurity awareness escape room that can be set up on-site for clients. Employees sometimes sign up to go through these escape rooms together, making it even more fun to leave their desks and engage in a beneficial activity. Feedback on these sessions indicates high levels of engagement, as well as high retention rates. They give people a chance to put into practicethe concepts they are learning in all those 5-10 minute videos and training sessions, through an experience that is not only “gamified”, but closer to real-world (where they’ll actually be using all of these valuable personal cyber security skills). Knowing that there are chances to use these concepts also supports motivated learning when they return to traditional videos or live presentations, so it becomes cyclical learning.
In addition to the escape room, workshops for personal security, rather than a constant focus on workplace security,provides an excellent opportunity to engage employees. This can include everything from social media privacy protection, to cell phone use, to avoiding becoming a victim of malware or adware. The most popular sessions TRUE has developed, with skills that carry directly over into workplace practices, include helping employees set up two-factor authentication on their financial accounts, or walk-throughs of how to up a password manager for their personal accounts. Both are excellent ways to help employees apply important security principles, while providing them with value in their personal lives–and let’s face it, an employee is much more likely to listen to training about how to secure their personal bank accounts than their work accounts. So if your organization can conduct security training in such a way that your employees see concepts as beneficial to themselves, rather than just organizationally beneficial, the way those employees view the training will shift dramatically. In the end, though, the organization still benefits, because the same principles will apply to their security practices at work
What’s important to remember here is to experiment and get creative. Interactive training is not limited to these two examples, so don’t be afraid to try something new with your employees. Just remember, not everyone learns in the same way, so it is best to provide multiple avenues for learning. Nobody learns exactly the same way, so observe what your employees like or talk about, and tailor the experiences to your own culture.
Once you have a plan for regular, creative, and personally beneficial training opportunities, the final piece to making your program effective is to reward staff for their efforts. This follows the mindset of keeping things positive and supportive, not overly punitive. To that end, we encourage employers to provide incentives, like tickets to raffle drawings based on attendance to the different training options. This is something fun that enhances their work experience and helps them look forward to training, not dread it. Trust us, if you make it worth their while, the next time you invite staff to a session, they’ll be lined up at the door.
To summarize, if your organization conducts inclusive, engaging training that supports employees’ personal security and cyber safety, the organization will also benefit. Either way, though, you must ensure that all employees take some form of security awareness training. A one size fits all approach doesn’t typically work well, and that applies to security awareness training as well. People have long been one of the greatest risks to an organization, it’s time we start protecting them like it.
To learn more about how TRUE can help your business strengthen it's security posture, visit our Consulting & Assessments page.
Sources:
¹ https://www.ibm.com/security/data-breach
² https://www.edgepointlearning.com/blog/cyber-security-training/