If you visit the website of the Ponemon Institute -- an independent agency that conducts research on privacy, data protection, and information security policies -- you don't need to go any further than the home page to uncover data points that highlight the need for effective security awareness training:
- 45% of senior executives surveyed say their company experiences cyber attacks hourly or daily
- 90% of healthcare organizations surveyed had one or more data breaches in the past two years
- 60% of employees circumvent security features on their mobile devices, and 48% of employees disable their employer-required security settings
- The U.S. per-record cost of a data breach averages $201
- The cost of cyber crime for German organizations is more than 6.1 million Euros a year
- The annual cost of cyber crime for UK organizations is 3.56 million GBP per year
Add these figures to a fact that requires no research to confirm: Each employee in your organization is a potential penetration point for your network, your systems, and your data. Whether a breach is physical or electronic, accidental or intentional, major or minor...it's still a breach. Sure, you could fire all your employees. But why not change behaviors instead?
For Long-Term Success, Embrace the 'And'
Security awareness and training is a singular item in SEO keyword respects, but in terms of affecting true change within organizations, the and often marks the critical difference between successful programs and those that generate less-than-stellar results. If you want to change behaviors and reduce risks, making employees aware that threats exist is only part of the equation. You must also teach them how to recognize the threats and respond accordingly to keep data and systems secure.
As you evaluate the awareness and training platforms, software, and services available to you, consider your end game: Are you seeking to simply check a box or do you want more from your efforts? How would your organization define a "successful program"? How would you gauge that success?
If you're completely sold on a once-a-year, massive-brain-dump approach to awareness and training, there's probably not much I can say to change your mind. (Though I surely couldn't resist a, "Seriously?!") But if you're taking a more progressive stance, consider the following points, which I believe to be the hallmarks of a thoughtful, integrated approach to employee cybersecurity education:
1. Take opportunities to assess susceptibility
Simulated attacks and knowledge assessments are great tools for helping you determine your organization's level of risk. But these exercises should be about more than penetration testing; they should also motivate and teach. Instead of shaming employees who reveal vulnerabilities, use these opportunities to provide insights and guidance about how to make better choices in the future.
This in-the-moment training is critical to long-term retention. As Art Gilliland, General Manager of Enterprise Security Products at HP, told Kathryn Dill of Forbes Magazine, taking advantage of a teachable moment directly following an action is more effective than a general conversation later. "Educate at that moment," said Gilliland. "It can be private, but it's very powerful at the time of failure."
2. Opt for digestible, interactive education
Using in-depth education as a follow-on to mock phishing attacks and other vulnerability assessments gives your staff a wider understanding of the potential risks faced in the workplace (and beyond). But not all education methods will be equally well received -- and retained -- by your employees.
If you opt for interactive training, employees can connect the dots between actions and consequences, which helps them more readily understand how important their actions are to the safety and security of your organization's people, places, and things. Consider these findings from EMA's Security Awareness Training: It's Not Just for Compliance:
- Presentations and lectures or online videos and slide shows are generally only 20% effective in aiding retention of material
- Trainees often multi-task with work or entertainment during non-interactive training sessions, which further impedes retention
And what of digestibility? Consider the annual or biannual, you've-been-here-four-hours cyber security smorgasbord approach. Do you think it's reasonable to expect people to parse out the finer points of an all-encompassing video or PowerPoint presentation -- and then retain and recall those points when appropriate over the course of six or twelve months? I say no (and I think your employees would agree). Bite-sized, interactive sessions are easier to process, more pleasing to the palette, and more likely to receive favorable reviews.
3. Ensure you can measure progress and results
Sure, there are plenty of good things to say about intangibles. But when it comes time to meet with the Board, tangibles are pretty nice to have. As you move through the process of assessing and educating your employees, it's important to analyze effectiveness.
If you have the ability to measure knowledge levels, reduced vulnerabilities, and continuing areas of susceptibility, you can better judge where your organization's weaknesses are and which employees are likely to benefit from additional training. Measurement also allows you to course correct where necessary and make the most of your efforts.
4. Reinforce key messages - and keep it going
Not to harp on the occasional trainers (too much), but does it really make sense to train employees only once or twice a year when hackers and social engineers are on the job 24/7? To borrow from the EMA study again:
Providing training at quarterly or longer intervals is too infrequent to reinforce the training knowledge and does not meet any sort of recommended educational standards to maintain retention.
Hackers and scammers are relentless, and their approaches are bound to become more varied and more sophisticated. This is why it's critical to continually educate and encourage employees about best practices.
Keeping security top-of-mind year-round -- using positive reinforcement techniques -- will help you create a culture of security in which good cyber hygiene is encouraged and exhibited as a normal course of operation rather than as an infrequent inconvenience.