You ticked all the boxes: posters, compulsory e-learning, seminars and desk-drops – you did it all. Even gave yourself a proverbial pat of the back for your ‘fool-proof’ strategy…Only to come back one day to the office and discover that all your files have been encrypted because one of your colleagues couldn’t resist following a link to claim their free iPhone 12.
So you are back to square one, thinking about what went wrong. You run your campaigns, people smiled and nodded, surely that was enough, right?
Here are the reasons why security awareness training needs more than to just ‘inform’.
Cyber security as a Tick Box Exercise
Security awareness training has traditionally been performed with a degree of resignation, more to serve a bureaucratic expediency than to accomplish any higher purpose.
Some employees receive their hefty training manuals with all necessary information during their induction and are considered ‘informed’. Others use unengaging online training programmes that merely make the business ‘compliant’. Let’s face it: most of the time, the awareness training is boring, condescending or outdated and worse still its forgotten because it’s not relevant, engaging and interactive.
If you’re thinking about revamping an existing program or creating a new one from scratch, you’re likely looking for different ways to be relevant and engaging. To make it successful, you have to make it stick and resonate with everyone.
Fortunately, you don’t need to reinvent the wheel; there are lots of resources available to help, regardless of how big or small your budget might be.
Cyber security is a tech problem
Tell me if you heard this one before: “If you did your job right, I wouldn’t have to worry about cybersecurity”.
Some people’s attitude toward cybersecurity is all wrong. They never think beyond the IT department and technology systems to acknowledge their own role in cybersecurity. Often people think security is not relevant to them, but with technology playing an integral part of our everyday lives, be that at work or at home, we need to consider a more security minded approach. Security is everyone’s responsibility, and we need to know how to defend ourselves. It starts with human behaviours and attitudes.
The need to gain sponsorship and buy in from the senior leaders in the organisation is critical. Changing people’s attitudes towards cybersecurity is a challenge, but not an impossible ask. To change attitudes, to open minds, we need to engage people from all aspects of the business, using techniques that allow us to remember the material, relate to it and most importantly, stop and think before they do.
Cyber Security training with a focus on human psychology can change attitudes and behaviours, recalling our experiences, with material that is relatable enabling us to learn from our mistakes and adapting our behaviours accordingly fostering an all-inclusive culture of security.
I knew better, but I did it anyway
In theory, people who complete cyber awareness training should be informed about the best practices and dangers of the cyberworld. They received the message – they are just not acting on it.
People simply just ignore security advice.
‘But, why?’ I hear you cry.
There are many reasons. Usually, they are underestimating their chance of becoming a victim or overestimating their ability to respond to security threats. On the other hand, they may have low confidence in their security skills or view security procedures as inconvenient and slowing them down. More often they are conflicted and decide no action is the best course of action or worse adopt default behaviours (Such as the same password for more than one account and everywhere!).
Most security awareness campaigns focus on improving security awareness. That’s all well and good. But if fresh awareness fails to change behaviour or culture, you have a problem. At the end of the day, it’s one thing to train staff; it’s quite another thing for staff to act on that training.
Security awareness training failed – What can I do now?
Improving security awareness, behaviours and culture at once is a much better ploy. Improve all three at once and your human cyber risk falls.
Easier said than done, I know, but it doesn’t have to be a herculean task.
CybSafe Security Awareness Training platform enables you to quantify your human cyber-risk and resilience, whilst measuring whether your awareness activities (such as training and phishing simulations) are actually working. This social behaviour and cyber-crime focused technology fuses psychology and behavioural science with artificial intelligence and data science.
See the video below to find out more about how CybSafe works.