Despite the growing number of high-profile data breaches - Equifax being the most recent big victim - cybersecurity awareness still remains a back-burner issue at many organizations.
More often than not, management relegates the topic to an annual training event, one that most employees are all too happy to ignore.
When MediaPro, a company specializing in cybersecurity awareness training, investigated the level of cyber awareness, it found that seven in 10 employees lacked the basic awareness to stop preventable cybersecurity incidents. Their report also judged the average respondent to be dangerously close to making one mistaken decision that might trigger a security or privacy incident. These included working remotely on unsecured public WiFi hotspots (19%), failing to recognize common signs of malware (12%), and participating in risky social media behavior (20%).
Most companies don’t do more either because they think their investment in IT security infrastructure offers enough of a shield or because they don’t have sufficient funding or C-level backing to engage in formal cybersecurity awareness training. Many also believe that having a security policy employees can reference on occasion is enough of a deterrent.
"There’s an attitude of immunity," according to Kevin Beaver, founder and principal information security consultant at Principle Logic LLC. "Many organizations believe they aren’t targeted or won’t get hit."
It’s up to the organization’s leadership to inculcate cyber awareness early on, starting with the candidates they interview during the hiring process. Then it’s up to them to put the right policies and programs in place to make this second nature.
But while companies have become more rigorous about securing their IT infrastructure in recent years, they haven’t shown the same due diligence in creating awareness programs that reinforce the technology by adequately engaging and informing users about risky cybersecurity behavior, experts say.
"Current cybersecurity awareness training, if it actually exists at all, is inadequate," said Adam Godfrey, a cybersecurity policy consultant. "The majority of approaches are minimalist—maybe an annual refresher course or a PowerPoint presentation that serves to check the box that training technically took place. The reality is they have no purpose beyond that."
Inform and Delight
Standard informational tools like policy documents or training courses simply don’t go far enough in grabbing employees’ attention and providing working knowledge of how to avoid or ward off threats. However, for organizations willing to go beyond traditional tactics, there are new gamification and behavioral awareness techniques that are proving to be more effective tools in combating cybersecurity threats.
Consider phishing attacks, one of the most prevalent attack vectors. Instead of simply talking about the threat or providing background reading material, some organizations now conduct mock phishing scenarios to give employees first-hand experience with what an attack looks and feels like.
Couple the hands-on approach with gamification tactics and a reward system (awarding gift cards or a catered lunch to the winners, for example) and all of the sudden, employees are highly motivated to become cybersecurity subject matter experts, Godfrey says.
"By actively engaging users in this manner, they remain on their toes in anticipation of future attempts," he explains, adding that gamification removes monotony and boredom from the equation. "It encourages participation in something that would otherwise be dry and disengaging. It forces the user to interact with the training rather than mindlessly clicking through it or zoning out until the end of the session."
Making cybersecurity awareness fun—and funny—is another way to break the tedium of traditional training. Leveraging short-form videos, keeping things light, and creating social media content destined to go viral is an effective way to keep employees from tuning out. It also helps to leverage a campaign approach to get the message out while conducting awareness training on a continuous basis, notes Tom Pendergast, CTO at MediaPro, which helps companies create cybersecurity awareness programs.
"We’ve been using tactics like advertising and public relations forever to get people to pay attention, although historically we haven’t applied those domains to run security awareness programs," he said. "The more progressive and risk-adverse companies recognize that there’s got to be a year-round program communicating about cyber security in a variety of modalities using humor and getting influential people in the organization involved in the conversation."
Deb Walter, a manager of information security policy, standards, training and awareness for AmerisourceBergen, says her company is taking just that approach. The firm has been working to mature its awareness strategy, working with MediaPro to create courses for targeted areas of security awareness training, but also to put a program in place to cover the basics for new hires.
"We do regular, mandatory phishing training on a regular basis and on-going publishing of security-focused content on our website, among other things," Walter said. She added that the drug wholesale company is making role-based training a priority.
"It’s still early in the maturation process, but we’ve gotten lots of great feedback from employees about the training, particularly since it’s short and interactive," she said. "We’re continuing to focus on keeping it brief and engaging for maximum retention."