If the mere mention of “security awareness training” is met with groans, sighs, and eye rolls from your workforce, it’s probably for a good reason. Despite the growing importance of establishing security literacy across organizations, many businesses fail to deliver engaging security training that sticks. More often than not, training is dull, dry, and easy to tune out — which defeats the purpose.
But what exactly are companies doing wrong? And, given the less-than-riveting subject matter, is it possible to make it entertaining? Today, we’re delving into five of the mistakes organizations make with their security awareness training and a few tips for improving your program.
Old-School Style Lectures
Remember the scene in “Ferris Bueller’s Day Off” when the economics teacher drones on and on while his students space out, fall asleep, drool, and stare longingly into the distance? When you base your entire security awareness program on dry, outdated lectures, you’ll elicit the same response. Whether via on-demand video or real-time delivery, traditional lectures don’t cut it. That’s because if employees don’t fully engage with the material, they won’t remember it.
No matter how intense or hard-hitting the facts you share, people need more hands-on experience if they’re going to fully understand how to form better habits online.
Many organizations hold security awareness training just once per year (or less). But this isn’t enough to create lasting change.
According to research from UC San Diego, spaced and distributed practice (i.e., learning that occurs over multiple sessions and different points in time) is more effective than one session. Furthermore, employees’ commitment and compliance will likely diminish over time if they’re not regularly reintroduced to the concepts. And any behavior changes your training fosters will likely be short-lived.
If you’ve ever started and eventually abandoned a new fitness regimen, you can probably relate to this phenomenon. While you might be wildly enthusiastic at first, eventually, you become busy and inundated with the day-to-day minutiae of life. As a result, that new habit you were trying so hard to form slowly becomes a nuisance until you drop it altogether.
As a tech leader, you know threats emerge and evolve fast. In fact, about 230,000 new malware samples are produced daily, according to data shared by PurpleSec. And hackers are constantly creating new methods of phishing and social engineering their way into your network — and it’s vital your security awareness training takes these rapid changes into account.
If you’re not helping keep your workforce up-to-date on the newest and most relevant threats they might encounter, how are they supposed to help protect your company?
Failing to Hold Employees Accountable
If you haven’t created a culture of security where everyone participates in preventing hacks and breaches, employees may assume your security team will handle all the problems on their behalf and shield them from inconvenience and responsibility.
Why? Because, for many years, this is exactly how organizations operated. Accidentally click on a phishing link? Became hacked because you used the same weak password for all accounts? Like the unsung superheroes they are, the security team would rush in to save the day. But now, with cybercrime growing exponentially and companies relying on tech to support all business operations, it’s no longer feasible for the security team or IT department to do it all.
If you want your security awareness training to stick, you need to make sure employees recognize their personal responsibility and, when they make a mistake, it’s up to them to correct it.
Shaming Employees for Making Mistakes
By the same token, though, don’t shame employees for their errors or expect immediate perfection. Sometimes mistakes are beneficial because they can be used as learning experiences — especially if any employee is responsible for cleaning up their own mess. Next time, they’ll think twice before opening a sketchy email, sharing their login credentials, or using their pet’s name as their password.
Additionally, if lots of employees are making the same mistakes, it should be a sign that you need to level up your training — not that your employees are inept.
What to Do Instead
So, how can you create better security awareness training? Here are a few suggestions:
- Use gamification and interactive components
It’s critical you keep things fresh and interactive, and involve employees in their learning.
- Make it an ongoing activity
Education should be ongoing — particularly for those who are lax about security policies and habits. If someone makes a mistake, it’s useful for them to engage in learning immediately.
- Let employees clean up their messes
Actionable threat intelligence is valuable here because it alerts employees when their information was compromised and supports them through the recovery process.
- Ask for feedback
Consider fielding a survey to gauge how your workforce feels about security education within your organization and any suggestions they may have for improving it.
Security awareness training is necessary, but it doesn’t have to be a drag. By avoiding these mistakes, you can create a culture where everyone shares the security burden and mitigates risks together.