Here's a question you may not have considered in some time (if ever): how do you learn? If you find this to be a broad query with many potential answers, you're not wrong. Different people do learn in different ways and at different paces. But there is (fairly) universal agreement on this point: it’s nearly impossible to learn new skills without regular practice and reinforcement.
Think about how you've learned the skills you now possess. I'm fairly certain that your greatest talents—both work-related and extracurricular—are rooted in knowledge developed over time. Now, think about how difficult it would have been to acquire and apply new skills if you'd had access to only one or two hours of instruction just once or twice a year.
Now… think about how your organization structures your security awareness training program. Is there an assumption that users will "get it"—and by that, I mean that they will develop new skills—based on infrequent instruction? If so, your organization—like many others—is ignoring time-tested education principles when teaching employees cybersecurity skills.
The need for better cyber hygiene is real
It's not uncommon, nor is it totally unwarranted, for organizations to struggle with the idea of pulling workers away from "typical" job functions in order to train them on cybersecurity best practices. Others seek the most expedient—and lowest-cost—path to ground. Unfortunately, thought processes like these relegate security awareness training to "nice to have" status—when, in actuality, it needs to be elevated to "need to have" status.
Cybercriminals are on the prowl 24x7, seeking new and ingenious ways to gain direct access to users and fool them into making mistakes that provide inroads to inboxes, data, and networks. Infrequent training cannot prepare the average employee to spot and avoid attacks that come in many forms, via many channels, throughout the year.
It's quickly become critical for users to have a solid grasp of fundamental cybersecurity best practices. Behaviors and decision-making are influencing the safety and security of people and organizations on a daily (if not hourly) basis. Cybersecurity skills have become life skills, and organizations should prioritize this type of training as much as any other topic precisely because of its far-reaching impact.
Time is money… in more ways than one
Security awareness training programs should offer more than broad, high-level education across an organization. InfoSec teams should also choose tools that deliver visibility and agility, which gives more power to threat intelligence and business intelligence. You should seek solutions that allow you to identify employees that are being regularly targeted by attackers, the threats these users are facing, and the vulnerabilities they exhibit—and then deliver focused training that improves user behaviors and helps them become a stronger line of defense.
Budget outlay and employee training minutes aren’t the only factors in the "time is money" equation. Organizations should also consider the benefits that result from a more empowered, knowledgeable user base—benefits that include:
- Fewer cybersecurity incidents overall
- Less downtime for employees who fall for attacks
- Fewer remediation hours spent by InfoSec teams to correct mistakes
- Better recognition and reporting of incoming threats that evade technical defenses
But to get there, you need to do more than train regularly, you need to train effectively.
Learning science principles drive better results
The idea of learning science is certainly not new, and original research on the topic identified a number of best practices for driving knowledge retention and successfully teaching students new skills. At Proofpoint, we concentrate on the following 10 principles, chosen because of their applicability to adult learning environments, and subsequently proven effective in security awareness training research conducted at Carnegie Mellon University:
- Offer conceptual and procedural knowledge
- Serve small bites
- Reinforce lessons
- Train in context
- Give immediate feedback
- Let them set the pace
- Tell a story
- Vary the message
- Involve your students
- Make them think
If you're not familiar with these principles, visit the Proofpoint website to learn more about how they apply to—and drive the success of—cybersecurity education initiatives. And to learn more about the importance of extending security awareness training beyond the inbox, register for the August 28 SecureWorld web conference, "Beyond the Phish: A Snapshot of End-User Behavior."