How to Build an Effective Cyber Security Employee Awareness Program

According to the 2017 Cyberthreat Defense Report by CyberEdge Group, a lack of security awareness among employees is “the greatest inhibitor to defending against cyber threats.” A recent Verizon report found that in 60 percent of breach cases, attackers were able to compromise an organization within minutes. As businesses navigate a growing landscape of cyber threats, coaching appropriate employee behaviour will continue to be a critical risk management measure.

With the proper education and awareness training, employees can be deployed as the best defense against cyber attacks. The current approach to training requires an overhaul to deal with today’s new wave of attacks.

Taking a Non-Traditional Approach to Training

Workplace security training traditionally involves mandating employees complete learning modules complete with testing that involves answering multiple-choice questions. The training reinforced through executive communications and reminders any time a breach occurs.

For employees pressured to achieve higher results with fewer resources, security training becomes both burden and a distraction. Although the training content may be comprehensive and include all the necessary instructions to put a strong security policy in place, the messages aren’t resonating with the people who need to enact them. Instead security fatigue may be leading employees to push the information aside, dismissing threats as an “IT problem.”

Make It Personal

While the modern workplace has become focused on digital assets and connectivity, many employees have developed digital workarounds which are contributing to the problem. Even millennials, who were raised in the digital world and are aware of the need for strong cyber security habits, are not immune to taking shortcuts at the expense of proper protocols.

Introducing awareness programs that relate their security practices in the workplaces to a benefit in their personal lives may be an effective way to increase employee engagement and compliance. Demonstrating how creating strong, secure passwords or avoiding unsolicited links can protect their personal assets can transform how employees view policies they may have dismissed as unimportant or overly cautious.

Make Training Engaging

Although the content of the training modules are professionally developed, the information and delivery may not be engaging. Employees may walk away without absorbing enough knowledge to know how to recognize and avoid a security breach. Instead, companies must look for ways to increase engagement by integrating security awareness into the company’s culture.

One approach to increasing security awareness involves running a phishing exercise to reveal how many employees would click on malicious link sent by email. When the results are reported back to employees, they have a tangible example of how their actions are linked to a potential security breach. The exercise should be followed by a comprehensive and engaging awareness campaign. The expectation is that when the phishing exercise is repeated, the results should show a significant improvement.

Encourage Rather Than Penalize

Another unfortunate traditional approach to security training involves penalizing employees with threats of discipline or dismissal for security breaches. While this approach is intended to discourage malicious intentions, it may unintentionally deliver a message that mistakes will not be tolerated.

By most estimates, only 20 percent of employee-at-fault security breaches occur due to malice on the part of the offending employee. The vast majority of security issues happen because of a lack of attention or awareness. With the threat of discipline or dismissal looming in their minds, employees may be hesitant to report security breaches.

When IT and security departments react to reports with encouragement rather than interrogations, employees become part of the solution. The benefits are two-fold. Security has the information they need to identify a breach and fix the problem. The employee is more likely to notify IT or security if they suspect a problem.

Changing the Way of Doing Business

Traditional approaches to cyber security have shifted substantially as old controls such as firewalls, anti-virus software, and security patches are no longer sufficient in and of themselves to keep organizations safe from attack. Employee education and training needs to evolve to provide the right level awareness in a format and with content that can help employees become partners in cyber security.