Five mistakes that turn corporate security awareness into a waste of money
More than half of businesses consider their employees to be the weakest link in corporate cybersecurity, as their actions may put company data and systems at risk. That’s why companies invest heavily in educating them on basic IT security skills. In fact, leading analysts predict the security awareness training market will evolve to be worth $10 billion by 2027.
Despite this, some businesses may be skeptical about training staff on cybersecurity. Some may think that people, aware of the potential threats or not, will always make mistakes. Isn’t it a waste of company’s money to invest in courses that do not generate the desired results?
The true purpose of security awareness training is – surprisingly – not to raise awareness. It should change an employee’s behavior online – not just inform them about the threats and measures.
Based on more than 20 years of researching cyber threats and providing cybersecurity services to eliminate ‘the human factor’ in cybersecurity, we realised that the following five educational pitfalls can make cybersecurity training ineffective.
1. Inefficient format
Corporate learning and development may come in different forms: a lecture by a member of the company, a talk by an external speaker, or a computer-based course. One training course format that suits one business may not necessarily work for another, so companies should choose a format which is proven to be effective for achieving a particular skillset.
In our practice, a tedious lecture is not suitable for a training course aimed to improve employees’ practical cybersecurity skills. By using an online format, you can combine a range of content (video, text, tests) and add gamification elements that transform a lesson from a boring obligation to something much more amusing. Such interactivity makes a cybersecurity course more attractive and engaging for employees. Moreover, an online course allows workers to progress at their own pace and spend more time on especially complicated topics. This is nearly impossible when employees attend traditional lectures.
2. The same qualification for all job roles
There’s a belief that the responsibility of a company’s cybersecurity is everyone’s job, as the actions of each person may affect security. So, the tempting idea for businesses is to introduce security awareness training with the objective of transforming every employee into a cybersecurity pro – and make it obligatory for everybody, for ultimate peace of mind.
Nonetheless, the curriculum of a security awareness training course, which would be useful for certain employees, depends on what systems and information they have access to. Teaching employee’s things they never deal with in their life (especially at work) is not cost-effective. Simply put, to avoid mass attacks, everyone should know how to identify obviously malicious websites, for example, like ones which ask to update software. Personnel with access to sensitive information and business-critical systems should then be given a more advanced course and be able to even recognise personalised fake emails.
3. Information overload
Often, security awareness training is designed to cover all important topics at once. However, this type of format hardly facilitates changing behavior, as it is unlikely that all the information will be absorbed. It is believed humans are able to remember only up to a limit of seven chunks of new information. You may know from your own experience that it is hard to perceive lots of facts and rules all at once.
Content is best remembered when it is delivered in bite-sized modules, as it is less likely to blur into one piece of information or fade away. If a short lesson (which won’t consume a lot of precious working time) is devoted to a single topic and offers a reasonable number of takeaways, it’s more likely that people will be able to keep in mind how they should react for a particular threat.
4. Lack of practice and repetition
Sometimes there’s good content in the training but it’s not memorised as it should be – just because of a lack of repetition. However, it is the cornerstone of translating awareness into actions.
Security training courses are often taken by uninspired audiences who might listen to instructions but are unmotivated to learn and commit them to memory. Companies should therefore implement courses that make topics easy to remember, emphasising the most critical aspect several times. For example, to highlight the importance of strong passwords, this topic should be reinforced and mentioned several times throughout the course: in lessons about sensitive information protection, social media, email, etc.
5. Lack of real-life relevance
The way to solve the issue of employees lacking awareness may seem obvious – increase awareness and tell employees general cybersecurity rules and policies. Unfortunately, this strategy will hardly work when the aim should be to change behavior for the better.
The majority of employees simply do not have a security, or even a general IT, background. They may not understand what they should do if you simply advise them to keep their applications updated and be careful when opening suspicious attachments. To overcome this communication barrier, the learning content should be carried out by simulating potential situations an employee could face – like working with emails or surfing the Internet looking for a site to download their favorite series.
To be successful, cybersecurity training needs to be conducted in a way that not only covers all the essential topics, but makes them easy to understand and memorise.
For example, one of our clients, Donau Chemie Group, which specialises in the production of different chemical materials, had traditional offline training on cybersecurity for its employees. However, it failed in motivating non-IT workers to change their security behavior. Nonetheless, it was not the problem of unreliable employees. When the company implemented our recommended training, which consists of interactive education and simulation, the situation changed completely. For example, the number of clicks on links in simulated phishing attacks (which are listed among the top three attacks leading to data loss) is now less than two percent.
When employees are forced to spend hours of their time in lengthy training sessions, on a topic which is not part of their job responsibilities, it can be difficult to ensure they take the advice on board. However, if the training does not take much time to complete and is easy to understand, it is much more likely for this to result in less mistakes and stronger overall security.
Kaspersky will be focussing on a range of Security Awareness Training programs on their stand (C42) at Digital Transformation EXPO Europe 2019 and are also running a technical workshop on the 9th October. The workshop is an interactive simulation to protect a corporate network. For full details of the workshop please visit https://dt-x.io/europe/en/page/technical-workshop-kaspersky.
To discover more about cyber security awareness, why not register for Digital Transformation EXPO Europe, Register free now! ___________________________________________________________________________________________________________________________________