Failure has always been baked into the DNA of most successful cybersecurity awareness training programs.
If we consider how these programs are usually administered, it typically requires employees to sit through hours of drill videos that resemble yesterday’s worst PowerPoints. Once these videos are completed, employees are required to rapidly plough through large numbers of modules in order to achieve compulsory compliance.
While compliance is important, successful programs need to be more than just a ‘check-in-the-box’. Compliance needs to align with a business’s values, enterprise security, and employees’ personal motivations – and too often those connections are not made. As a result, it leaves many employees unmotivated to retain any information that was shared with them during training, let alone be proactively aware of any attempts of a cyberattack.
In many organisations, there's little follow-up after an employee's first exposure to cybersecurity awareness training. At best, employers might get a refresher of the same material the following year. This approach almost guarantees a program will fail.
Enterprise can achieve better cybersecurity hygiene by using short, persistent bursts of cybersecurity awareness training instead. This approach ensures employees are likely to stay focused and remember the training information. After all, researchers have previously attested that the human brain is limited in its ability to pay attention for a long period of time.
However, that’s not to say short microlearning cybersecurity modules can be irrelevant and easily forgettable, too. Training doesn't necessarily work because it's quick and easily digestible. It also requires fun, appealing, and relatable components.
For instance, businesses can use the opportunity to bring personal security into the conversation. This way people can think about good cyber hygiene both at home and in the workplace to ensure they remain vigilant about cybersecurity.
The conversation about cybersecurity and the training used to compliment it needs to be embedded into business as usual. This way cybersecurity training will appear less as a compliance requirement and more like any other business activity. Employees need to feel that they can do their job without cybersecurity getting in the way of meeting their goals.
The initiative needs to be driven from the top down. More often than not, businesses rely on their IT department to keep the company secure. However, given how sophisticated cyberthreats are today, a joint effort is necessary to prevent a cyberattack. Increasingly, businesses have started to understand this and we’re seeing more and more chief security officers have a seat at the executive table.
There’s also a common misconception among executives that they’re untouchable when it comes to cybersecurity attacks. However, c-level executives are more prone to attacks than anyone else in the business mainly because they hold the key to some of the most critical data that threat actors find most valuable.
Human error accounted for more than a third of cybersecurity breaches. Engaging cybersecurity awareness training, however, is one way to manage and reduce this risk. While businesses will never be able to eliminate cyberattacks, it’s possible to prevent the impact it will have on the business.
Having well-trained staff in cybersecurity is any business’s first line of defence. They will know what to look out for, they will be more suspicious of incoming emails, and if an attack does occur, they will know how to handle it. That's a deliberate strategy for building a holistic understanding of corporate cybersecurity in real-world context. It's designed to help people truly internalise how and why people make simple mistakes, what happens when they do, and how to avoid them in the future.
Businesses need to invest in their people, not just the technology to successfully reduce the impact of a cybersecurity attack. By watching people — not bullet points —employees learn how to help build a stronger corporate cybersecurity culture.
Part of that culture also means building a trustworthy environment where failures are celebrated, instead of pointing fingers at people when an incident occurs. This way people have the opportunity to reflect and learn from what happened and what lessons can be learned from the breach or incidents. An organisation will also gain a true understanding of where gaps exist in their incident response plan.
What most don’t realise is that an incident can lead to a stronger resilience posture when there is a company culture that encourages for open and honest conversations about what has or hasn’t worked.
If businesses can get the right culture, cyber hygiene and awareness training right, then they are already on their way to being more protected than most. Employees will have both the knowledge and desire to help a company succeeding securely.