According to cybersecurity firm Tessian, 85% of data breaches are in some way attributable to human error, and 43% of people have made mistakes that compromised their organization’s cybersecurity. This is unsurprising. As you well know, people are, and likely always will be, the weakest link in your organization’s cybersecurity chain.
You’ll never be able to rid yourself entirely of the risk they represent. All you can do is attempt to mitigate the damage they can cause. A zero trust approach to access control and network management represents one component of that.
Cybersecurity awareness training represents another.
The reality is that for every highly-sophisticated state-sponsored threat actor, there are probably ten hackers who are little more than criminal opportunists. Such criminals thrive on carelessness and ignorance. And the best counter to both of those?
Therein lies the problem, though. Among those businesses that have actually bothered to implement cybersecurity awareness training, most haven’t really thought about the employee experience. They’ve simply spun a few walls of text into a course and called it a day.
The problem is that this kind of training doesn’t bother to engage. It doesn’t explain to employees why they should care about the information they’re being fed, nor does it provide them with any sense of ownership or accountability. It simply presents them with a passive feed of information and expects them to learn.
This does not work. According to a joint survey conducted by vulnerability management firm Kenna Security and training solution provider Epignosis, 61% of employees who received cybersecurity training still failed a basic cybersecurity test. The survey ultimately concluded that the problem was how the training was presented.
As for what organizations should do instead, the two companies had a few suggestions:
- Emphasize how the training is directly connected to an employee’s role and responsibilities.
- Give the opportunity for the employee to engage in hands-on training, putting their acquired knowledge into practice as they train.
- Add features such as gamified quizzes.
- Avoid overusing highly-technical language or jargon—keep explanations and descriptions to layperson’s terms whenever possible.
Too often, cybersecurity training appears to be predicated on the assumption that because it’s a serious issue, the training itself must be serious and dry to such an extent that it’s painful. You need to divest yourself of this notion. If you want your business’s cybersecurity awareness training to be truly effective—if you want to truly start taking steps towards a culture of cybersecurity—start finding ways to make it entertaining.
Above all, consider talking to your end users. Find out what they care about, and learn about their interests and hobbies. Not only will you begin to establish a rapport to bridge the conventional gulf between IT and the rest of the organization, but you might also uncover ways to make your awareness training more compelling, and your business’s security posture will be all the better for it.