Everyone has heard the “90% of security breaches are caused by human error” line by this point in their life. I’m not here to debate the validity of that statistic; I’m here on a mission. That mission is to kick that statistic in the teeth and solve the problem (with your help).
At this point, you might expect to hear the silver bullet answer of “you can prevent breaches by instituting a security awareness program.” We can pack up our bags, our Secure Email Gateways are no longer needed, we have solved human error, and we’re good to go.…. Of course, this is not the case. We have all realized that just having a security awareness program is not enough. We need to have effective security awareness programs that get to the heart of the issue.
So what is the heart of the issue? The issue is that we’re all human and make mistakes, but the secret is we can get excellent at not making inevitable mistakes: IF we get the right kind of support and motivation.
That right there, folks, that “right kind of help and motivation” is your security awareness program. So buckle up, grab a drink, hold on to your hats, kiss your mother goodbye, wave to your brother, or not if you don’t like them, and join me on an adventure where we’re going to crush the three essentials parts of a security awareness program.
Our security awareness program example has two main parts: Assessments and Training. Still, the goal is that training can deliver education to you and the assessments verify your education is sticking, i.e., changing your behavior in a good way.
Assessments
Assessments should be frequent, relevant, and transparent. Frequent assessments reinforce knowledge for better decisions. Relevant assessments connect to daily tasks. Transparent assessments clearly state why someone passed or failed.
Firstly, assessments need to be given often and continuously. We can all remember taking huge tests and forgetting most of what we had learned just weeks after the test. The goal of assessments is to reinforce knowledge. With that knowledge, you will be able to make more informed decisions. We can easily create better habits by having smaller assessments often delivered instead of blitzkrieging your brain with a massive test.
Secondly, Assessments need to be relevant to the task at hand. “If you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid” applies here. If you are given a test that you don’t think applies to anything you value, you’re going to think it’s a stupid test.
Now imagine being an employee and receiving mandatory training on cybersecurity with no opt-out. Now also imagine failing a phishing assessment and being automatically enrolled in additional training that is, you guessed it, also mandatory. Many employees I have talked with tell me stories just like this. They feel like they weren’t correctly supported to handle the assessments and were set up to fail. When I ask them about the whole process, they say it feels like they’re getting punished unfairly, and it’s generally about this point that they disengage from their education.
Everyone needs coaching; employees are no exception. Employees need to feel like they are part of the team and that their cybersecurity education is preparation for the game. When you disconnect the assessment from the end goal, the assessment loses its value as the learner disengages with the process.
Thirdly, the outcome needs to be easily understood.
If the assessment was passed, why did you pass it? If the assessment was failed, which specific part of the assessment did you not do correctly? Knowing which particular part of an assessment you failed is the biggest reason you give the assessment in the first place. Only after understanding the reason you failed can you begin to change behavior.
Trainings
Trainings have 4 main parts that center all around the delivery of the training:
Trainings should be digestible, applicable, engaging and persistent. Striking a balance between educational and entertaining keeps attention while avoiding the pitfalls of mandated fun or boredom. Succinct, frequent sessions are more digestible than lengthy, sporadic training.
Trainings need to be Digestible for learners. When learners receive training, it needs to be entertaining enough to keep their attention but not so entertaining that the educational value is lost.
Trainings need to be Relevant. Relevant trainings have content that learners feel applies to them personally. Now, I know there is a certain amount of compliance that we all need to participate in for the sake of compliance, but for the most part, training that users receive should translate directly to actions they can take daily.
Trainings need to be engaging. Trainings in the industry predominantly suffer from being too entertaining or not entertaining enough. We all sat through hours-long in-person training events that could put us to sleep. Most of us have also been enrolled in educational courses that take the entertainment aspect way too far, and the whole process begins to feel like “mandatory enjoyment” instead of an applicable educational process. There’s a sweet spot in the middle there where learners can be entertained and learn valuable skills. We should always aim to connect with our learners and engage them in the learning process, but keep in mind that the goal is foster learning and not create an atmosphere of mandatory enjoyment/
Trainings need to be delivered often. When trainings are delivered often, it is much easier to ensure the trainings are also engaging, relevant, and digestible. Gone are the days (I hope) when we need to spend hours learning topics at a time. Instead, training should be delivered in succinct lessons as often as it makes sense. For instance, a few monthly lessons that take 10 - 15 minutes feel much more manageable than 2 hours twice a year. When trainings are delivered, often they can be shortened, and the topics can be adjusted more frequently to be more digestible by the learner.
Buy-in
You may have thought to yourself earlier: “You said there were 3 essential parts to a security awareness program, but then split it into only two parts; what gives?” Welcome to the most essential piece and the third part: Buy-In.
Success hinges on buy-in from employees and decision-makers. Without leadership support, security policies seem restrictive, not supportive. Without employee buy-in, the security awareness plan template can’t build a culture reducing risk and improving cyber hygiene. Employees must feel empowered to solve problems, not just create them.
Security Awareness Programs are critical. Great security awareness programs can reduce the risk of a breach and encourage employees to create excellent cyber hygiene individually and as a group. Therefore it is imperative that everyone in an organization (and outside) be able to see the support from the leadership in your company and follow their lead.
Without the support of the leaders in an organization, it is hard to create a program that makes any meaningful change. Without top-level support, policies may be seen as a hindrance to your company instead of support mechanisms that create great cyberculture. Additionally, without the support of the organization’s leaders, it will be hard to fund and find the additional time necessary to create a great security awareness program. A security awareness program that is able to create positive change will take time, effort, and energy, and you guessed it, just a little bit of money as well. If you don’t have the support of your leaders, you will find it hard to fight against the tide for very long.
Most importantly, you need buy-in from the employees. The employees in this equation are the queen on the chessboard. Without their support and buy-in, creating a cybersecurity culture that reduces risk and encourages good cyber hygiene will be impossible.
Let’s go back to what I said earlier, “The issue is that we’re all human and make mistakes, but the secret is we can get terrific at not making certain mistakes: if we get the right kind of support and motivation.” To provide the right kind of support and motivation to employees, they need to feel brought into the process and a part of the solution. Many security awareness programs create an environment that makes the employees feel like they are the problem and not the solution. While the reality is that employees making mistakes is the problem we are trying to solve, we need to empower employees to believe they are also the solution. When employees feel like they are part of the solution, they can become the solution.
This security awareness program example can systematically boost security through assessments, training, and mutual buy-in. By embracing it, organizations can activate their greatest asset - engaged, educated employees - to minimize breaches.
If you're interested in learning more about Phin, and how we approach Security Awareness Training, click the link below to sign up for a demo with our CEO Connor Swalm.
