Humans are often seen as the first line of defence in the cyber security posture of organisations today. By offering security awareness training programmes, businesses can educate their employees about a range of growing cyber security risks and what to do if they notice one.
With cyber criminals increasingly targeting businesses and their employees, security awareness training is more important than ever. But despite this, users often pay little attention to cyber training and end up putting their organisation’s security at risk as a consequence. So, how can security teams get employees to take training seriously?
Developing a security culture
Getting staff to understand the importance of security training for themselves and the entire organisation is a major challenge currently faced by employers, according to Immersive Labs application security lead Sean Wright.
“Security training is a really difficult one to tackle. It often already has a negative connotation associated with it – those pesky security people again – so trying to convince employees that this training is important not just for the organisation, but also helpful for themselves, is a challenge,” says Wright.
He argues that a culture shift is needed to solve this problem. “How we get employees to start taking training seriously is a shift in culture, in that a security culture is developed within the organisation. This will help employees get onboard with security-related efforts such as training,” he adds.
To develop a security culture and ensure all employees take cyber awareness training seriously, Wright believes many issues must be addressed first. “Remove the ‘no’ stigma. We need to change the perception that we are a roadblock and that, equally, security is a roadblock,” he says.
“We need to focus and highlight the positives of dealing with security correctly, such as better reputations with customers, less chance of a breach and loss of customers, for example.
“They need to understand why they need to do something and have it explained to them in terms and language which they understand – remove as much of the technical jargon as possible.”
Wright says that organisations must also change the mindset that “security is not my problem” and make it clear that every employee must play their part in improving security across the organisation. “Help employees understand that they all have a role to play, explaining why and what the risks are if they don’t,” he says.
Employers should also allocate appropriate time for employees to carry out their security training and ensure it isn’t crammed in one go, says Wright. “They will likely just want to rush through it rather than absorb the information from it. Make sure that you get feedback, find out the things which they don’t like, but also importantly what they like,” he adds.
“Try to implement changes which help to address some of the negative feedback or suggestions made. It shows employees also have a voice in the matter and will help drive it to better suit their needs. It also helps with their relationship with the security team, avoiding that ‘no’ mantra and perception.”
Another motivation for employees to take part in security training is that it’ll look good on their resume. Wright adds: “Another positive spin is – especially if they use online services – they could possibly include this on their CVs, so this is as much a benefit to themselves. They also can increase their own security knowledge and awareness for their personal lives. To me, this is a great added advantage.”
Transforming security training
Security training has long been seen as irritating by companies and their employees, according to ESET security specialist Jake Moore. “It continues to cause friction between departments with aim often taken at HR for orchestrating it. Making training compulsory is unfortunately a necessary evil,” he says.
But he says security training can be extremely valuable and save money for the company in the long run if it’s delivered well. “Being innovative or creative can be tricky in an often mundane subject, but it can be offered in colourful ways that don’t impact on people’s daily routine,” he says.
“Making it interesting can help with attentiveness to standard attacks such as phishing emails and can help people to slow down and question social engineering techniques often used by threat actors when attempting to gain information or even entry.”
Moore warns that forcing tests to chastise those with poor scores can have a negative effect on staff and must be avoided at all costs. Instead, organisations should reward employees for succeeding in their security training.
“Incentives or prizes for winning scores can help to make staff read through modules and raise awareness, which in turn helps create a strong awareness and savvy culture,” he says. “The key, however, is to make training modules short, interesting and effective, peppered with real-life stories which will help raise the understanding behind the education.”
A security awareness programme should be an ongoing effort and not a one-off event, says UK Cyber Security Association CEO and founder Lisa Ventura. “Rolling out the same training to your end users year after year is ineffective. Constantly reviewing and updating your cyber security awareness training programme is the key to it being successful,” she adds.
Another good idea is to add security training to the onboarding process so that new employees are aware of different cyber risks and how to respond to them, according to Ventura. “This will help to create a security-conscious culture from the start, and making the training mandatory rather than optional is crucial,” she adds.
Ventura believes that the most successful security awareness programmes are personal. “Hackers don’t just attack organisations, they target individuals, and often use email, social media and other methods to hack into corporate systems. Employees will be more likely to engage with it if they can see how much it will affect their lives both from a personal and a work or corporate perspective,” she says.
Security training is paramount
With cyber risks increasing rapidly, security training is fundamental in every company and organisation. Josh Douglas, vice-president of product at Mimecast, says: “The threats that organisations face are growing in number significantly, making cyber security awareness training more important than ever.
“Remote working in particular has created many challenges, with employers losing visibility into employee behaviour, creating added risk. This is a massive concern, with Mimecast research finding that 70% of IT leaders believe that bad employee behaviours, such as poor password hygiene, put companies at risk. This problem can be tackled head on with cyber awareness training.”
His view is that business leaders should ensure security training programmes empower employees to protect their organisation. “Organisations can drive this empowerment through a solid programme that is more engaging, uses humour and keeps points concise,” he says.
“To drive that empowerment further, feedback should always be captured from employees and utilised to cater the training best to their needs,” says Douglas.
Mimecast’s own analysis suggests that employees who receive regular awareness training are 5.2 times less likely to click on risky links than those without, while the firm’s recent State of email security report shows only 19% of organisations currently provide ongoing cyber awareness training.
The only way businesses can educate employees about security risks and their role in protecting the entire organisation is by providing regular cyber awareness training, says Douglas.
“As remote working becomes the new norm, the knowledge such training provides will be crucial in building the resilience of organisations and ensuring employees can successfully work from home for the long term,” he adds.
Making security training fun
Laurence Pitt, global security strategist at Juniper Networks, says security training is often dull, corporate and unrewarding. “Employees may find ways to give the minimum attention possible – watching videos at double speed, multitasking and guessing answers, or hoping the mandate will go away if ignored,” he says.
He argues that something must change and that the answer lies in gamification. “Create custom activities that give a different experience based on responses to questions. Several different routes through an exercise make it more fun. Limit any single security game to 10 minutes – something that fits into a coffee break,” says Pitt.
“Make the training fun. Humans learn better from positive rewards than negative experiences. An additional benefit is that people share something they enjoy, and so may pass on awareness tips to colleagues, family and friends.
“Give virtual badges for completion of training, perhaps create a scorecard based on how quickly employees complete their training once assigned. Avoid rewarding right answers or time to complete the task.”
Pitt says combining these ideas could create a fun and rewarding employee experience from security awareness training. “This will require investment, but organisations such as The Infosec Institute have already started to gamify training ideas and may be able to assist,” he adds.
“Investment in security will not be a cheap exercise, but will undoubtedly be more affordable than the damage caused by a ransomware attack or accidental data breach. Making training an activity that employees want, rather than have to complete, can only be a positive in helping to strengthen your security posture.”
Nowadays, businesses face a range of different cyber security risks, and the rise of remote working in the past year has only exacerbated them. Clearly, the most effective way to mitigate corporate cyber security risks is by making staff aware of them through training. But unless such training is engaging and interesting, many employees will continue to pay no attention to it and will subsequently fall victim to cyber attacks.