Security Awareness Training: Trick or Treat Your Employees?

Real-life cybersecurity horror stories abound. The Equifax breach threatens most of our identities. The KRACK vulnerability makes the Wi-Fi networks we live on unsafe. Our vulnerable electronic voting systems threaten our democracy.

Breach fatigue is real, not only among consumers, but businesses as well. In fact, most expect breaches to be inevitable. According to a SailPoint survey earlier this year, three out of five companies expect to be breached with 33 percent believing they won’t know they are breached when it happens.

Security Awareness Training

Most risks are created by company employees. The same SailPoint survey found that 55 percent of IT respondents believe one of the key reasons that non-IT departments introduce the most risk is that they often lack the understanding of what actions and behaviors are potentially hazardous.

This has made security awareness training mandatory for companies—something that needs to be done continuously. At Spanning, we’re currently in the midst of a SOC 2 Type II certification audit, which requires us to attest to have conducted security awareness training.

My focus  is on taking a different approach in order to make it most effective. In considering approaches, what it’s boiled down to is whether to train employees by tricking or treating them.

As the data points above show, the key challenge is to change employee behavior, which means changing the company culture so people don’t fear cybersecurity practices and really feel like they are doing their jobs in a secure manner every day.

A popular approach has been for companies to trick their own employees. This certainly should be considered, but should be well-balanced with “treating” approaches.

These treats might include:

Visuals. Let’s face it, people get bored with endless text and statistics about social engineering attacks. People also forget stuff. Rather than overburdening people with information, provide powerful visuals that employees will remember. For example, I’ll capture and sanitize an actual social engineering attack in a screenshot to make it really easy to understand.

Transparency. Make sure employees know when training is going to be happening. If you phish or bait them before they understand what it is or means, it can cause employees to fear cybersecurity.

Praise. As opposed to creating more fear about mistakes or bad behavior, you’ll want to praise employees for doing things right and not admonish them for getting things wrong. This just leads people to circumvent systems and not participate in a daily awareness of their surroundings and technical controls on their computers.

This truism can’t be stated enough: Your organization’s cybersecurity is only as strong as the weakest link. Security awareness training is key to ensuring your employees are not that weak link. By carefully thinking through that trick or treat balance and erring on the side of the latter, you’ll find that the effect is a change in culture where employees see training as something that they want to do rather than need to do.

What “treating” approaches have worked for you?

Download Preventing a Ransomware Disaster

An earlier version of this article first appeared in IT Pro Portal.


GOT SOMETHING TO SAY?