In 2020, just as this year, layered security infrastructure will be your first line of defense against an ever-growing array of malevolent cyberthreats. The second is a motivated, threat-aware workforce, duly trained to identify, report and avoid falling prey to alluring but malicious content.
Robust security awareness training is the obvious way to achieve the latter. But there’s just one problem: a disturbing lack of interest in training among non-IT personnel, a fact borne out in a recent Osterman Research survey commissioned by KnowBe4. “It’s not surprising that senior IT management are overwhelmingly enthusiastic [about it],” the survey says. “Making users more aware can reduce the number of threats they must detect and remediate.”
Results also show that (non-IT) business managers are unenthusiastic about security awareness training, perceiving it as a giant productivity time-sink for already busy staff. Regular employees most dislike the idea of training, with just one in eight employees saying they’re ‘enthusiastic’ about it. Nearly 40% said they were either neutral or somewhat opposed to the training they currently receive. Among reasons noted for such disinterest include: dull, boring, irrelevant curricula; overly long sessions; and instructors’ failure to link awareness training to fewer infections. The lack of participation incentives and rewards for changed behavior was also listed. To help companies overcome this apathy and engage employees, survey sponsors offer these (and many other) best practices, which you’re encouraged to discuss in more detail with your IT Managed Services Provider (MSP).
1) Establish a baseline. Get the ‘before’ picture of companywide security awareness before implementing any new program. It will help you gauge the effectiveness of your efforts.
2) Focus on changing behavior. Awareness training is fundamentally about behavior modification. Results come, for example, when you show people why they should share less information in online channels, or be more skeptical about suspicious-looking emails.
3) Make training fun. Or at least enjoyable. Otherwise, employees will quickly tune out and your investment in improving security will be lost. Some of the more innovative and effective methods in use today include: gamification, such as a scavenger hunt or Jeopardy-like trivia game (complete with rewards, recognition and prizes); bringing in a well-known or unexpected guest speaker, such as a local hero or celebrity, or even your company CEO. To educate its own employees, awareness-training provider KnowBe4 has invited Kevin Mitnick–who was once known as ‘the world’s most wanted hacker.’
4) Don’t punish mistakes. Whether a lapse occurs during training or on the job, “If employees are not free to make mistakes and share their experience openly with security teams and peers, they won’t participate in the process,” Osterman researchers caution. Of course, repeated offenses require additional training or other action. But punishment–if meted out at all–should be a last resort.
Does the New Year call for renewed security awareness in your company? If so, contact TeamLogic IT today.