At a time when global cyber threats, customer data breaches and the potential for reputational damage has never been greater, it’s of vital importance that business leaders and employees value cybersecurity best practice within their organisations.
But rather than engaging and educating employees, traditional, outdated cybersecurity training appears to be inciting lax security standards and resistance to behavioural change.
In the current COVID-19 business conditions, with many employees working remotely indefinitely, the last thing businesses need is a security breach.
Mimecast’s Don’t Just Educate: Create Cybersafe Behaviour survey, conducted by Forrester Consulting during January and February this year as the critical COVID-19 climate was coming in to force around the world, found that while managers thought they had the right training in place to foster safe cyber behaviour, their employees were actually switching off learning good cyber practices.
Unfortunately, it seems this resistant mindset is starting at the top. Almost half of business leadership teams (45%) believe that security impedes their workforce productivity.
Lack of buy-in from executives was cited as one of the top barriers (by 50% of respondents) to the rollout of security awareness training initiatives.
This in turn generates a general lack of understanding of security issues (53%), failure to see the value in mandatory security training (51%) and regular flouting of security policies (31%) among employees.
So, how do we fix this?
To get security awareness training to stick in their employees’ minds, decision makers need to take some cues from modern advertising methods.
Make it funny and make it a game
Engage participants by employing humour and alternative content types like gamification.
The need for humour in awareness training was heavily backed by findings in the Forrester survey. Asked if they were to change anything over the next 12 months in their training, 82% of employees responded that they wanted humour in the content.
Make the courses shorter but more frequent
This is to increase memory and engagement.
As opposed to the delivery of traditional training, employees want shorter programs that occur regularly throughout the year and they want to be able to pick and mix the delivery of courses with content presented on mobiles and PCs as well as in-person.
When asked in the survey about how long they remembered training content, 41% they were likely to remember content from gamification exercises and were likely to discuss that content with co-workers for an extended period of time.
Focus on developing security champions rather than security practitioners
Most employees (69%) follow security policies and practices picked up from security awareness training but getting employees to take the next step and become security advocates is harder to develop.
In the survey, only a minority (31%) were inspired to transmit what they had learned to other stakeholders such as colleagues, friends, and family.
Innovative programs that turn employees from security practitioners into security advocates will help deliver long term cyber resilience.
And most importantly, practice what you preach. The importance of cyber security best practice must be driven by organisational leaders to set the tone for long-term behavioural changes.
Security awareness education is crucial, not some productivity speed bump that gets in the way of making this quarter’s numbers. Employees who take cyber seriously may well prevent massive business damage in the future.
Remember there is much more to building a cyber resilient culture than just ticking off a compliance checklist. The process requires time, effort, behavioural smarts and measurement of results.
Preconceived notions of Security Awareness Training (SAT) programs should be dumped.
As in all communications, content is king and conducting bold, bite-sized and regular security awareness modules that leverage humour and gamification will cut through to busy employees who may have rendered complacent by monolithic SAT programs in the past.
Once an organisation’s cyber awareness material has been rejuvenated and deployed, start measuring its effect on behaviour and cultural change. Use the metrics and employee feedback to assess the success of your SAT program and adjust if necessary.
What happens around cyber awareness at work can light up discussion around security topics in the broader network and help elevate organisations and their employees to security leaders.
Despite the challenges brought to light in this survey, 67% of respondents plan to expand or upgrade their firms’ current awareness training programs in the next 12 months either by training more employees or investing in additional activities.
This is reassuring intent, but the time and expense could be wasted if there isn’t a sea change in SAT delivery.
We strongly encourage those rolling out training programs to explore alternative content types, provide different methods of delivery based on employee preferences, and extend training outside the workplace.
Nick Lennon is ANZ Country Manager for cybersecurity and resilience company, Mimecast, which takes on cyber disruption for its tens of thousands of customers around the globe. Mimecast helps protect large and small organisations from malicious activity, human error and technology failure; and to lead the movement toward building a more resilient world.