By Matt Lindley, CISO at NINJIO
Companies are increasingly discovering that their most effective defense against cyberattacks is the security awareness of their own employees. This is why more and more CISOs and other company leaders are making security awareness training (SAT) a core part of their cybersecurity platform. The vast majority of breaches rely on the manipulation of human beings, so a well-trained workforce can drastically reduce the likelihood of a successful attack.
However, the mere existence of SAT programs at a company isn’t enough to ensure that employees are actually learning how to defend themselves and the company from cyberattacks. The administrators of SAT programs have to make sure that employees are retaining the information they learn, capable of putting it into practice, and ultimately making cyber awareness a habit. This is how companies can establish a culture of cybersecurity – the best long-term protection from cyberattacks of all kinds.
There are several ways companies can build SAT platforms capable of sustainably changing employee behavior. First, training initiatives have to be engaging – if employees tune out, they won’t absorb the information. Second, training has to be consistent and relevant, which is how employees will stay up to date on the latest threats and countermeasures. And third, companies need to track whether their training programs are actually working.
Effective cybersecurity training has become vital
Over the past several years, cybersecurity budgets have been soaring. PwC found that 69 percent of companies are increasing their cybersecurity budgets in 2022, while more than a quarter expect to see increases by double digits. An ISACA report found that 60 percent of professionals in the sector believe their cybersecurity budgets are underfunded, while 69 percent said their cybersecurity teams were understaffed.
More and more companies are recognizing that training should be a significant component of their cybersecurity investments – and some are learning this the hard way. A 2021 report by Keeper found that more than two-thirds of companies which were victims of successful ransomware attacks increased their cybersecurity budgets, and 90 percent said they expanded their training programs – but only after being hacked. After noting that employees are often the weakest link in organizations’ cybersecurity platforms, Accenture summarized the situation like this: “Training employees to think and act with security in mind is the most underfunded activity in cybersecurity budgets.”
According to Verizon, 85 percent of breaches involved a human element. When companies see statistics like this, they can immediately see the importance of cybersecurity training. But this doesn’t mean they know which types of training actually work, or how to determine whether their employees are prepared to identify and prevent cyberattacks.
What are your employees really learning?
Within any company, there are always competing priorities – while the CISO may want to expand SAT programs as much as possible and invest in measures to track their performance, other members of the C-suite may want to direct resources elsewhere.
There’s a significant disconnect between the emphasis companies place on SAT programs and their ability to determine whether those programs are having their intended effect. For example, consider companies’ approach to phishing – the most common type of cyberattack, according to FBI data. The ISACA report cited above found that 71 percent of companies use employee training programs to promote phishing awareness, a higher proportion than any other method (such as email newsletters). However, just 12 percent of companies say they’re “completely confident” in their ability to assess the effectiveness of their phishing awareness programs, while another third say they’re “very confident.”
While these numbers are promising (another 39 percent of companies claim to be “somewhat confident” in their assessments), it’s clear that many organizations need to focus on developing more robust mechanisms for tracking the success of their SAT platforms.
How to build an evidence-based SAT program
There’s all the difference in the world between an SAT program that exists on paper to satisfy consumers and other stakeholders and a program that actually teaches employees how to identify and thwart cyberattacks. Here are a few strategies to help you build a training platform that gives employees the skills they need to keep your company safe:
- Regularly test employees on key cybersecurity skills and concepts. When it comes to measuring the performance of their SAT platforms, testing is one of the most essential tools companies can deploy. To take one of the most prominent examples, phishing tests give companies an accurate picture of how many employees are capable of spotting emails, texts, and other digital communications that contain malware. While 43 percent of companies say they’ve increased the employee report rate on phishing tests, there’s no reason why they can’t get full participation across departments and teams.
Training programs should drive behavioral change with positive reinforcement, such as rewards-based feedback. For example, when employees perform well on phishing tests or report potential incidents, they should be incentivized to continue doing so with recognition and support from managers. The goal is for healthy behavior to become habitual, which makes the user and the organization more secure over the long term.
- Use gamification techniques to engage, teach, and assess employees. One of the central problems cybersecurity professionals face is the difficulty of capturing and holding employees’ attention. Gamification has a proven record of facilitating learning and information retention. A study published in the International Journal of Educational Technology in Higher Education found that a gamified mobile learning app helped students learn: “Retention rates and academic performance increased, and there was a positive correlation between students’ scoring highly on the app and achieving higher academic grades.” Employees’ performance on gamified testing can also give your company a better idea of how well they can deploy what they learn in the real world.
- Reinforce cybersecurity education frequently and consistently. SAT training should never come down to a once-per-year PowerPoint or email blast. It’s necessary to constantly reinforce what employees have learned and provide them with information about emerging threats. By maintaining consistent engagement with employees, companies can also continually assess the state of their cybersecurity knowledge and preparedness. Companies have to remember that all employees are responsible for defending the organization and themselves from cyberattacks, which is why cybersecurity should be built into everything they do.
Frequency is integral to behavioral modification. The reinforcement of proactive cyber awareness can lead to sustainable cultural change, but companies have to recognize which forms of reinforcement work and which ones don’t. For example, employees should always be rewarded when they report malicious emails or any other threat – even if they made the mistake of opening a corrupted attachment or sharing sensitive information. Companies should never deter responsible behavior.
As companies continue to invest in cybersecurity and digital threats keep evolving, it isn’t enough to check the security awareness training box with a few company guidelines and meetings. Cybersecurity has to be integral to all operations and departments, and companies have to know if their training programs are getting the job done.