Cybersecurity efforts have long been focused on the technology element, but companies should be focusing on the human factor as well. That’s because, as threat actors continue to grow in sophistication, they still rely on humans to fall victim to their schemes, especially in the current remote-work environment.
Unfortunately, existing cybersecurity training programs can typically be check-the-box exercises that fail to meaningfully engage employees — resulting in a lack of awareness and education when it comes to cybersecurity vulnerabilities and individuals’ roles in their company’s cybersecurity defenses. In today’s remote work environment, the cybersecurity imperative is more important and multifaceted than ever, and educating and engaging employees is critical.
The following helps answer many questions and provides insights on best practices to help information security and information technology leaders address the human factors in cybersecurity and ultimately create more effective cyber training and awareness programs.
Q: What are the gaps in companies’ employee cybersecurity awareness, training and education programs?
A: For many companies, it depends on where they are on the cybersecurity continuum and also in their cyber journey. Companies that are earlier on in the process are often focused more on the tech and IT side, which are foundational building blocks of a successful cybersecurity strategy. But across the board, companies should invest more in the human element. Organizations with comprehensive cyber education programs do that, because when you look at cyber incidents, breaches, network compromises, malicious insiders or former employees, there’s one common denominator — it’s humans. And several lines of defense are managed and maintained by humans. Yet the focus with many companies is often on the tech and infrastructure.
The challenge too is that existing trainings and education approaches are not always effective. Consider that employees are busy, focused on their day-to-day work, and inundated with trainings from various parts of the organization. Trainings should be more effective, and companies should also do more to influence behaviors and mindsets. It is not enough to tell people what to do; the concepts and behaviors, and the “why,” should be more deeply embedded in this work.
Q: What should companies be doing differently when it comes to cybersecurity trainings and awareness, especially in the remote work environment?
A: A way to effectively influence the human element is to build creative, exciting and engaging programs. They should be compelling and interactive — not just presenting or sharing content. A programmatic approach is effective, rather than one-off trainings, and that starts with knowing what the learning objectives and desired behaviors are, so that all the exercises that follow are designed to meet those objectives and produce those outcomes. The exercises or activities can be computer-based, especially in today’s environment, but still have the feel of in-person trainings.
- Consider lunch ‘n’ learns, with guest speakers and storytelling — stories resonate with people. Stories help people understand an idea or behavior in context, and it’s far more engaging and interesting.
- Tabletop exercises, which bring together specific business groups to discuss different scenarios, are great. Keeping them grouped at the business level, such as C-suite, HR, legal, and so on, rather than more broadly, helps people connect at an individual level. It is more relevant to them and their work, and that’s likely to be more successful. Those conversations should be open, challenging, and engaging. There are also a lot of technology simulations that can be used in those trainings, simulating phishing for instance. Simulations are powerful — the experiential element helps.
- Also consider fireside chats, which facilitate an open and engaging dialogue.
Another key piece of this is ensuring the environment and tone is not punitive — it should be an open learning forum. If it’s punitive or disciplinary, people won’t engage and will feel threatened.
It’s also critical to include a call to action. That way, employees are not only given new information — the organization is asking them to do something. They are empowered to take action, have an impact, and have a specific role and responsibilities. That changes the way employees think about things and how they behave at the keyboard. It also helps to let employees know they can use their learnings to protect their home network as well.
Validation is important — companies need to validate understanding and the effectiveness of the training, and work to continually improve. Cybersecurity is always evolving, so a company’s response, and their training program, should be fluid and dynamic. It should never be one-and-done.
Q: How else can companies build or support better cybersecurity training?
A: A lot of it is cultural. Cybersecurity really needs to be a top-down priority, starting with leadership. In some organizations, leaders support certain levels of controls and cybersecurity procedures for everyone, but then find them cumbersome and tend not to adopt them themselves. That’s something we all have to change and get used to. The tone at the top is really important.
When it comes to cybersecurity, there are several guiding principles that make it more effective: Consistency, conformity and pervasiveness.
Making training relatable and relevant goes a long way across the organization, from the C-suite on down. The messages should be tailored—if a training for a retail company uses examples from higher education, it’s less likely to carry the weight and depth of an industry-specific perspective. People want to know what their industry peers are experiencing and what the threat context is, from lost revenue and lost opportunity to lack of trust.
People also need to be aware of the growing sophistication of cyber attackers. Phishing emails are now written in the tone and voice of the person’s boss -- so the recipient is more likely to respond and compromise cybersecurity. To combat that, training helps, but also a cybersecurity culture with a willingness to question anything that looks out of the ordinary – to recognize red flags that just don’t look right. In those cases, clicking through an annual training is unlikely to change the outcome — it’s more about cultural and behavior change.
Q: What else is at the top of the cybersecurity training and awareness agenda?
A: Making training more targeted through specific and engaging exercises, focused on real threat and risk scenarios. Companies can identify threats and weaknesses in their environment and address them in strategic, targeted ways—that increases reach and relevance with employees. Often companies are focused on server vulnerability or IT issues — but cybersecurity is much broader than that. A long-running, robust, evolving program that speaks directly to the people of the organization and their challenges makes a difference.