The purpose of a security awareness program is to strengthen your company's resilience and reduce the risk of a data breach. Today, the most significant risk in an organization is not on the technical side. Instead, most CISOs are dreading the actions or the inactions of their employees. Just one careless click that downloads malware or takes people to a website that’s phishing for passwords could lead to a severe incident.Focusing on creating more awareness around information security threats does not work. Typically, training consists of reading materials, watching videos, filling in quizzes every now and then, and sometimes infrequent phishing training.
You may have heard the famous quote of Goethe:”Knowing is not enough; we must apply. Willing is not enough; we must do.”The same goes for security training. While knowledge is essential, you should never ignore the practice. Traditional methods focusing only on gaining knowledge without taking actions don’t work.Without enough practice, people won’t know what to do when they see a dangerous email. Through continuous training, you can show them the threats that target them and reinforce the right behavior in cybersecurity.The right behavior that develops with continuous training is that people are able to confidently recognize and report threats, and they don’t try their luck by interacting with the messages. This is the only feasible way of minimizing human risk.
The easiest way to get to your company´s assets is through your employees. When you don’t provide them with continuous practical training, your organization is under immense risk. Attackers know it, and they use it to their advantage. Social engineers even exploit human psychology. To push people to make errors, criminals also tap into the emotions of their victims using curiosity, carelessness, urgency, and fear.One employee´s error could be enough to carry out a successful attack - especially, if some technical defenses (like e.g., two-factor authentication) are also missing. According to Kaspersky, people’s careless actions or the fact that they are uninformed are the second most likely cause of serious data breaches, right after malware.This is why it would be best to minimize the possibilities for human errors to occur. Opportunities for error are almost infinite because of human behavior psychology and neuroscience.Even when people possess the right knowledge and skills or are aware of the rules, they could still make an error for various reasons. It could be that people are just so busy that they don’t think twice about clicking a link, or they make the wrong decision when they are unsure, or they simply ignore the rules, or they don’t have enough knowledge about how to do the right thing.Social-engineering attacks are also becoming more sophisticated. Employees may also have a false sense of security – they might think that spotting phishing emails is easy and that they won’t fall victim to them.In a recent podcast of Ann Johnson on human risk, Rachel Tobac (Social Proof Security San Francisco) mentions that there are lazy attacks (that most of us can easily spot), and there are also extremely well-planned attacks that could take even up to 100 hours to prepare and execute. Long gone are the days when it was easy to spot all the phishing emails. Nowadays, employees need to stay alert and think critically to spot a difficult attack.
Teaching people the skills and knowledge to spot something dangerous and take the right action is the most critical thing you can do to minimize your chances of a serious incident.To successfully impact behavior in cybersecurity, you need to change your outlook on training. It must be frequent, practical, engaging, positive, and motivating, as well as include social proof and focus on developing a security culture within the organization.
It’s not enough to create awareness and tell people what they should know in order to change their cybersecurity behavior. It´s better to let people learn by practicing. If they fail, it should happen in a safe environment. Frequent practice ensures that employees can learn from their mistakes, and the next time they can do better. This will keep them alert and more critical about their email habits.
Providing training does not mean that employees will want to participate – if it’s compulsory, they may have negative feelings toward it. Training should be engaging and exciting so that people wouldn’t mind spending a few minutes on it every now and then. Make training seamless, integrate it into their workflow, and make it fun if possible.
Motivation can have a serious impact on how people behave, especially when there are goals and rewards.There’s also a strong correlation between motivation and emotions. Emotions are necessary to get people’s attention and get them to act.Training that is motivating and leaves people with a positive feeling is more likely to result in positive behavior.
Social proof is when people start to copy the actions of their peers to undertake a certain behavior in a given situation. This phenomenon works in cybersecurity too. When employees want to partake in the training and they share their experiences with each other, it can be motivating for others to participate too - they won’t want to miss out on what their co-workers are doing.
Training with all the characteristics described above will also help you shape a security culture where people know that security is everyone’s responsibility. Long gone are the days when information security was only the concern of the IT team. Employees who know what dangers they are facing and have had practical training preparing them for real-life attacks can be your most durable defense line. Additionally, by guarding your company´s assets on a daily basis, they will also end up making more secure decisions in their personal lives when browsing the internet.