As a security professional, you know the massive amount of budget you spend on firewalls, antivirus, and other preventive tech can only reduce your risk so much. At the end of the day, your workforce is your greatest defense against intruders — or your greatest weakness.
According to 2020 data from the Ponemon Institute, employee negligence causes about 62% of security incidents, and each incident costs companies an average of $307,111.
What’s the difference between employees who help protect your organization from threats and those that create more risk? Education and awareness.
But it’s not enough to simply have a security awareness program — you have to have a program designed to drive positive results.
Today, we’re covering a few ways you can build a program that expands workforce cybersecurity expertise and helps bolster your protection against hackers.
One of the biggest problems with security awareness training is that it’s usually incredibly boring. And, often, there’s an assumption that anything related to cybersecurity and compliance has to be dry and serious. But while the gross financial damage and livelihoods ruined by cybercrime is no laughing matter, that doesn’t mean you can’t get creative and fun with your security awareness program.
Consider infusing humor and storytelling into your training to keep people engaged and invested. It’s also helpful to gamify the experience. For example, you can divide departments into teams and pit teams against each other. Whoever can go the longest without an incident can win a prize, like an extra day of paid time off or a company-sponsored team outing.
By rewarding engagement and compliance, you can foster better behaviors. And there’s nothing wrong with tapping into peoples’ natural competitiveness to achieve your goals.
Take a Cue from Marketers
If anyone knows how to get people invested in something, it’s marketers. Their entire job revolves around hooking prospects in and keeping them engaged through the buyer’s journey until they’re ready to buy. And as any great marketer will tell you, this has nothing to do with luck and everything to do with psychology.
One tactic marketers often use is called the self-reference effect. In short, people are more likely to remember and become interested in something if it’s highly relevant to them. You’ll often see this in dynamic advertising, where brands target people with products similar to items they’ve purchased in the past. Additionally, studies have shown people are more receptive to ads that feature people who look like them.
How can you use the self-reference effect to drive engagement in your security awareness program? Make it relevant. Discuss how a hack or breach will impact them directly and center training around real weaknesses and common mistakes within your organization.
Use Active Instead of Passive Learning
There are two types of learning techniques: active and passive. Active learning refers to a learning process where people are directly engaged, i.e., “learning by doing.” Passive learning refers to a process where people are provided information and are responsible for integrating it, such as listening to a lecture.
While many people are accustomed to traditional passive learning, a study published in the Proceedings of the National Academy of Sciences found people learn more when they’re taught through active-learning strategies.
But, that’s not to say lectures don’t work — only that engagement is critical to learning. People need to be involved in the learning process, which is why it’s a good idea to adopt actionable threat intelligence that allows employees to fix their own mistakes. By recognizing exactly how their weak password puts them (and the company) at risk and actively working to create a more secure password, they’ll learn much more than if they simply watched a video about setting secure passwords.
And, as we’ve touched on before, regularly re-visiting information is also more effective than being told something once – and generally produces better memory recall. By creating multiple “bite-sized” sessions chock-full of engaging material, you’ll help set your workforce up for success in helping prevent cybercrime.
As we move forward into a future with likely even more cybercrime, it’s no longer enough to have a team of security experts addressing threats and fighting off hackers. Today, you need to transform your workforce into an anti-cybercrime army. Cybersecurity literacy is essential to creating a safe, low-risk organization, and an effective security awareness program can help you get there.