In 2020, just as this year, layered security
infrastructure will be your first
line of defense against an ever-growing array of malevolent cyberthreats. The second is a motivated, threat-aware
workforce, duly trained to identify, report and avoid falling prey to alluring
but malicious content.
Robust security awareness training is the obvious way to
achieve the latter. But there’s just one problem: a disturbing lack of interest
in training among non-IT personnel, a fact borne out in a recent Osterman
Research survey commissioned by KnowBe4. “It’s not surprising that senior IT
management are overwhelmingly enthusiastic [about it],” the survey says.
“Making users more aware can reduce the number of threats they must detect and
Results also show that (non-IT) business managers are
unenthusiastic about security awareness training, perceiving it as a giant
productivity time-sink for already busy staff. Regular employees most dislike
the idea of training, with just one in eight employees saying they’re
‘enthusiastic’ about it. Nearly 40% said they were either neutral or somewhat
opposed to the training they currently receive. Among reasons noted for such
disinterest include: dull, boring, irrelevant curricula; overly long sessions;
and instructors’ failure to link awareness training to fewer infections. The
lack of participation incentives and rewards for changed behavior was also
listed. To help companies overcome this apathy and engage employees, survey
sponsors offer these (and many other) best practices, which you’re encouraged
to discuss in more detail with your IT Managed Services Provider (MSP).
1) Establish a baseline. Get the ‘before’ picture
of companywide security awareness before implementing any new program. It will
help you gauge the effectiveness of your efforts.
Focus on changing behavior.
Awareness training is fundamentally about behavior modification. Results
come, for example, when you show people why they should share less information
in online channels, or be more skeptical about suspicious-looking emails.
3) Make training fun.
Or at least enjoyable.
Otherwise, employees will quickly tune out and your investment in improving
security will be lost. Some of the more innovative and effective methods in use
today include: gamification, such as a scavenger hunt or Jeopardy-like trivia
game (complete with rewards, recognition and prizes); bringing in a well-known
or unexpected guest speaker, such as a local hero or celebrity, or even your
company CEO. To educate its own employees,
awareness-training provider KnowBe4 has invited Kevin Mitnick–who was once
known as ‘the world’s most wanted hacker.’
punish mistakes. Whether a lapse occurs during training or on the job, “If
employees are not free to make mistakes and share their experience openly with
security teams and peers, they won’t participate in the process,” Osterman
researchers caution. Of course, repeated offenses require additional training
or other action. But punishment–if meted out at all–should be a last resort.
the New Year call for renewed security awareness in your company? If so,
contact TeamLogic IT today.