You know it and we know it: Security awareness training doesn’t have the best reputation Many employees who are required to undergo security awareness training do so under the direction of human resources or a risk and compliance department within their company. Trainings have long been conducted via static PowerPoint presentations, lecture-based talks, online “tutorials”, and through other passive methods that don’t result in the employee retaining much of anything. It merely becomes a box employees check off on their requirements sheet and they move on.
This is not the way cyber security awareness training should be implemented. We know that current trainings like this are ineffective in helping employees learn cyber best practices or, more importantly, change their online behavior for the better. The “learning pyramid”, sometimes referred to as the “cone of learning”, developed by the National Training Laboratory, suggests that most learners only remember about 10% of what they read from textbooks. Whereas, retention is improved when gamification is incorporated into training and learning activities. In fact, according to Talent LMS, 89% of employees believe they’d be more productive if their work was more gamified.
Don’t believe us? Take a peek at the recent news headlines and industry reports that show human error is still a primary contributor and cause significant company breaches. Employees aren’t empowered with the knowledge to know what to look for in suspicious emails or phone calls, resulting in higher cyber risk for organizations.
- Shark Tank’s own Barbara Corcoran recently lost $380,000 in a phishing email scam.
- People are getting scammed by hackers capitalizing on fear of the Coronavirus to steal money and sensitive data, according to Yahoo Finance.
- The 2019 Data Breach Investigations Report (DBIR) highlights that a third of data breaches (34%) involved internal employees.
- CNBC reports “Individuals reported losing almost $153 million to government imposter schemes in 2019, according to the Federal Trade Commission.”
And that’s only a few of many incidents that indicate the need to foster more effective security awareness training to truly change digital behavior.
Pain Points of Traditional Security Awareness Training
- Actually changing —Getting an employee to go through security awareness training is one thing but actually changing their behavior is another challenge all its own. Training can’t be a ‘one and done’ effort. It must be engaging enough for people to retain learned information so they can recall it when faced with a cyber threat. To do this, security awareness training must have a ‘what’s in it for me?’ component otherwise, there’s no incentive for an employee to do the training at all. Teaching elements like scoring, competition, badges, levels, and ‘digital rewards’ help engage employees so they take training off the ‘must do list’ and onto the ‘want to do list.’
- Convincing employees it directly impacts them—If you’ve never been in a car accident, you may be inclined to drive a little faster on the highway, not thinking twice about the repercussions because “an accident will never happen to you.” Wrong. Just because your company may not have been breached (yet) doesn’t mean you’re immune to security awareness training. Unfortunately, the daily onslaught of company breaches making news headlines indicate that the ‘we don’t need security awareness training’ thinking is not only outdated but will leave your organization more vulnerable to an attack. Everyone needs security awareness training if they do any kind of work on an electronic device (whether computer, phone, internet-connected system, etc.)
- Perceived protection from technology—It’s quite common to presume that today’s technology has ‘built-in’ security to protect against hackers, and while some devices do offer limited protection, it’s not enough. With as fast as technology is advancing, there’s always a gap in security waiting to be exploited. Spam filters, antivirus software, and firewalls are great, but hackers know the easiest way to get sensitive data and cause disruption is by going through people first. A multi-layered security strategy that places people at the forefront of defense is critical to hardening posture from all angles.
Empower Employees with Fun Security Awareness Learning
Just because the industry has typically conducted security awareness training in a passive manner in the past, doesn’t mean it works—and it certainly doesn’t mean that we have to keep doing it. So let’s flip the script on security awareness training shall we?
We recently debuted inCyt, a security awareness learning tool, at RSA this year. It is an evolving solution designed for non-technical employees to learn cyber foundations and improve online workplace practices. In it, we dare to have fun with security awareness training by simplifying and gamifying the complexity of cyber. We expand the understanding of the threat landscape to non-technical employees who work on business systems by introducing basic concepts through the mind of a hacker. THEN the player is encouraged to demonstrate their learned knowledge in a “final” lesson where the player defends their digital assets from a bot hacker. Games are designed around the cyber attack sequence that outlines the structure of an online threat.
Players with limited cyber knowledge learn basic concepts through cyber themed battles against a bot attacker and the learning becomes ‘sticky’ as information is retained because it’s engaging. Colorful characters, friendly competition, and relevant cyber examples improve security awareness aptitude.
inCyt currently teaches the following security foundations with more on the way!
Phishing & Email Security
- Understand what phishing is.
- Understand the impacts of phishing.
- Identify common indicators of phishing attempts.
- Identify appropriate countermeasures related to phishing.
- Understand the risks associated with public internet.
- Identify proper safety precautions when online shopping.
- Understand the impact of what and when you post online.
- Understand the importance of strong passwords.
- Identify best practices when creating passwords.
- Understand multi-factor authentication.
Future game topics and themes will include: Social Media, Least Privilege, Remote Work / Bring Your Own Device (BYOD), Computer & Software Updates, Response to Potential Attack, Data Value, Preservation & Recovery.
So what do you think? Is it time to change up your security awareness training approach? Perhaps try something new to augment the most vulnerable attack element in your organization: your people.
Schedule a demo of inCyt today to learn more.