We need to remove the negative feelings employees have around cybersecurity. Thankfully, cybersecurity professionals understand this, and many strive for a change. It is the only way forward in protecting our organizations with the help of employees. You can’t engage employees in cybersecurity training if it is not perceived as something positive and meaningful by them. Wouldn’t it be great if your employees willingly participated in your cybersecurity training?
“Negativity” is still a problem in cybersecurity training
Traditionally, the cybersecurity team has been portrayed in a negative light. If you think about it, you can’t blame your employees for that.
Take your average employee and ask them whether they enjoy those 30-minute videos about why cybersecurity is so vital. Ask whether they like reading long documents or intranet pages on cybersecurity rules about what to do, and, especially, on what not to do. Put yourself in their shoes. Would you pay much attention to a topic that doesn’t interest you? I guess you know the answer to that. When the security team requires employees to go through such long and dreadful content when they have many other important things to do, it´s not hard to see why the security team gets a bad reputation.
Say no to the ‘no’ culture
On top of this, we need to change the “no” culture of cybersecurity. In training, we often hear “don’t do this” or “don’t do that”. Imagine someone telling you what not to do all the time. Wouldn’t you get frustrated?
Recently, Petri Kuivala, the former CISO of Nokia and Microsoft and current CISO at NXP, phrased it very well in one of our webinars. He said that you will reach the complete opposite of your desired effect if you say ‘no’ to your children every time. At some point, they will start rebelling, and without a doubt, they will try to test your limits. Your employees aren´t trying to test your limits exactly the same way, but how do you make sure they care enough about security to support your mission?
You need to change people’s attitudes and behavior regarding information security. To do that, a good starting point can be adapting and creating a positive cybersecurity culture in your company. You want to fight attackers, but without your employees on board, you will continue to lose the fight against them.
Bringing positivity to your cybersecurity culture and training
There are numerous articles out there on creating a positive cybersecurity culture. However, they often focus on the security team and forget to centralize the essential role of the employees.
The technical defense is of course the concern of the security team. But, human risk mitigation derives from the employees’ own actions. If you want to create a positive culture, you must involve your employees in your mission.
There are a few steps you can take to create a positive cybersecurity culture in the organization. It all essentially comes down to centralizing your employees. Let’s have a closer look at each one of them.
1. Provide great content and practical training.
It starts by really thinking about what your employees would enjoy, instead of forcing them to go through long and boring cybersecurity content. Could you make the content more interactive? What about letting employees experience first-hand attacks by sending simulated threats?
Get rid of the “no” culture.
Instead of telling employees what not to do, teach them how to take the right action that’s also valuable for your team. Communicate to your employees what actions they can take, and provide them with the necessary tools to do them.
2. Make cybersecurity fun and engaging.
This is a great way to encourage people to start wanting to take part in your cybersecurity training. Plus, your employees will most likely have positive feelings towards the training when it´s fun. It can also help to keep your employees engaged. You don’t want your employees to follow a training once or twice a year, that’s just not sustainable for the future in making a culture shift. You want them to continuously engage with your training, and you want as many employees as possible to participate in the training. The higher the engagement, the more successful your company will be at fending off attacks, and thus, the less time the security team will spend rectifying breaches.
3. Don’t punish employees.
Create a safe space for people where people don’t feel like they get punished in training. Instead, create an environment where employees can learn from their mistakes with positive reinforcement.
Usually, when employees make mistakes in cybersecurity, it’s because the security team hasn’t properly provided the employees with the right training, knowledge, or tools. A blame culture is poisonous, so instead, you should look for long-term training that can help you to tackle your risk better.
4. Reward people for taking the right actions.
People should fail first in a safe environment, and then you will know that they need more practice that’s also adjusted to their level. This way, they will be able to improve their skills and knowledge. You can use this positive approach and microlearning to integrate training into your employees´ workday to improve their skills in spotting dangerous emails. You should aim to mean training meaningful and rewarding for your employees – it can be motivating for them.
5. Simulate attacks.
Simulate threats in order to give employees a real, practical experience – you need to go beyond your traditional awareness training. Theoretical knowledge isn’t enough. When employees receive regular simulated threats, it will stay on the top of their minds, and they will start to grow more suspicious with every potential incoming threat. You’ll see better results in terms of participation and failure rates with frequent real-life practice and short training moments.
6. Communicate the value of training to your employees.
Sending out simulated attacks without notifying your employees is not a good idea. It can make them feel like it’s a test, as if you’re trying to ambush them. Tell your employees why you are sending the attack simulations out and explain how they will teach them to also report real threats. Also communicate how their involvement in training and actively monitoring their emails in real life, will strengthen the entire company´s cyber defences.
7. Gamify your cybersecurity training program.
Creating a positive culture around cybersecurity training with the help of gamification is an approach that some security training companies have adopted over the years. Some employees can be very competitive, and they will be motivated by an approach that rewards them for their participation or performance.
The impact of a positive cybersecurity culture
The benefits of a positive cybersecurity culture are endless. It turns your employees’ discontent for boring cybersecurity exercises into an eagerness to collectively protect your organization from the bad guys.
Positivity can be a facilitator, if used correctly, to engage your employees, and it stimulates them to participate in cybersecurity training. Once you have your employees engaged, you can start sending them more sophisticated simulations. Your goal is for people to start reporting the real threats they receive from attackers. As a result, you will have an additional defense layer next to your existing technical defenses. Your security team will also gain insight into the threats from employee reporting, which allows you to respond more quickly to incoming attack campaigns.
A good training and positive culture mean you can start trusting your employees to make the right decision whenever something suspicious hits their inboxes. Now, let’s start creating a positive cybersecurity culture while keeping in mind that we’re all humans and we can all make mistakes.