An entire phishing simulation industry has emerged to combat the dangers of phishing attacks on...
Companies today face a new reality of cyber threats, as attacks multiply and employees are targeted. Security and IT teams cannot protect businesses alone without collaboration from their broader organizations. As cybercriminals expand their reach and effectiveness using AI and automation, attempts to trick employees are rising.
The pandemic accelerated the need for better workplace security skills, with employees working remotely from varying locations on multiple devices. The line between work and personal devices - already eroding at some workplaces prior to the pandemic - largely disappeared at many companies. Additionally, as companies migrate business functions to the cloud, they become vulnerable to web application attacks and data breaches.
Online security and privacy require more skills and resources than ever before. Basic digital security skills can significantly lower the risk of an individual or business falling victim to cybercrime. Employers have an important role to play in protecting their employees, and beyond that, an opportunity to help make modern digital society safer.
What Type of Training do Employees Typically Receive?
The extent and type of employee training varies significantly depending on geography and industry. For organizations that do offer some form of training, the most common is simulated phishing attacks. These mimic phishing emails and are sent out sporadically to measure how employees respond (as well as to create security awareness). Of the companies that run phishing simulations on their employees, the majority do so only about once per year.
Some employees also receive in-person cyber training on their physical systems/environment from IT colleagues at work. Others are directed to learn additional skills in a classroom setting. A smaller but growing subset of workplaces provide digital skills training in an online platform.
Workplace Cybersecurity Training Needs to Evolve
Given the threats we face as well as the opportunities for immersive and interesting digital skills training, the current status quo of cybersecurity training needs to evolve. Some of the key elements of an effective training program include timing, transparency, individuality, and the ability to make mistakes (i.e., not punishing mistakes).
Here are four tips for creating effective and modern workplace cybersecurity awareness training:
1. Timing
Constantly flooding employee inboxes diminishes their effectiveness. Phishing campaigns should be run occasionally and for limited time only. On the other hand, training should not be a once-annual chore to be completed. It should be a resource in employees’ lives, ideally one they can explore when they have time and that is there to help them when they need it. Providing access to a continuous training environment means that employees are not distracted by fake emails when they are focused on other tasks.
2. Transparency
An effective training program should be fully transparent for (and built with input from) employees. They should know a phishing simulation campaign is coming and be offered training if they feel they need it. People learn best through positive reinforcement, not failure. Giving employees training first gives them the chance to succeed.
3. Individuality
Training should be tailored to allow for individual learning paths. People lose interest without the freedom to explore topics that interest them. Employers can still have required/mandatory content, while allowing employees to go beyond that material and choose voluntary training on topics that interest them. Ideally, each individual's learning interactions should be as anonymous as possible to allow free exploration of material without fear of judgment. Organizations can still measure overall employee awareness and security culture without personally identifying every training interaction.
4. No punishment
Perhaps most importantly, training should not be made into a punishment that people get if they fail a phishing test. Too often, employees that fail are forced to take additional training, which further discourages them. In some programs, employees may even be profiled by algorithms and identified as “high risk”, before being placed in remedial training. Such systems run the risk of embarrassing, demotivating, and alienating employees. This ties into the topic of psychological safety. Making mistakes should be encouraged in a training environment, so people can learn from their mistakes and understand how to adapt their online behavior.
Looking Forward
The current scope of employee training, which tends to focus solely on professional topics and assets, does not help employees stay secure in their personal lives. A more holistic approach to security is needed to meet the needs of today's decentralized workplace. Training that helps employees beyond work will also help combat the lack of employee engagement that currently plagues workplace security training. Employers have a significant opportunity to help make their businesses and modern digital society safer. By considering the timing, transparency, individuality, and the learning strategy of their training programs, they can protect their businesses while improving the welfare of their employees and society at large.
