The Proofpoint 2020 State of the Phish survey identified that the highest cybersecurity vulnerabilities came through employees and they remain the primary target for organisational cyber-attack. Cyber-criminals work by manipulating and deceiving users to behave in such a way that it endangers the employers organisational security.
Enabling and educating teams when it comes to security is an effective strategy to locate the signs of an attacker whilst they are in the process of an attack. If people are more aware of potential threats and what they look like, more prevention of risk can take place.
Proofpoint have suggested some ways to make the process more palpable and interesting for end users and we at Loop Secure agree with them.
Here are some tips to make your cybersecurity awareness training a success:
Brand your enablement program
By effectively naming your program, you help users to understand the main issue you are solving as an organisation. This can support your users to up-level the value of doing the work required to learn about security by showing them, explicitly, what the risk personally looks like for them. An effective program name can help to solidify the importance of taking place in it.
As an example, to ensure the successful rollout of processes and controls for the General Data Protection Regulation (GDPR), the program was named “Become a Data Privacy Defender”. This title makes clear the purpose and role of the user within the specific project. It makes it clear that it’s a data privacy initiative and your users are proactive contributors to that privacy effort.
Leverage Learning Science Principles
Learning Science Principles have been recognised as successful in changing adult behaviour and include many different methods to solicit the most advanced learning and retention outcomes. Some of these methods include offering conceptual and procedural knowledge; sharing the bigger picture; keeping information bite sized and remaining focused on specific topics to be consumed in singularity. Reinforcing information and enabling feedback loops can keep awareness growing and sustainable.
Get the help from departments and individuals
Other departments within your organisation could significantly help you. Alongside the Security team, Marketing, HR and other key executives can play a big role in upscaling security awareness and prioritising any training programs to be rolled out.
Security Managers can make suggestions for upgrading the relevancy of content for corporate policy, including password policy, and can support by identifying the right individuals that are likely to be targeted and that require the training. Any party that handles sensitive data would be a likely target and Security Managers can identify these parties easily.
Marketing can assist with security awareness content and materials to accommodate brand elements whilst HR Managers can guide the dynamics across the organisation and provide guidance for working with executives and leadership.
Guiding users toward the right behaviour
It can be normal for users to resist security awareness training or to be rather lukewarm towards it, however the pointers above can assist with building a more favourable perception toward this work.
Security awareness training needs positive perceptions to avoid user resistance and indifference. The steps outlined above can help create a positive perception and help maximise the value and acceptance of security awareness programs. Ensuring the training has relevance to both work and personal lives increases engagement, and retention of the key messages.
There can be a somewhat tougher approach whereby users receive consequences for clicking on simulated phishing emails, like loss of access or privilege after ‘three strikes’. This can work to ensure the maximum awareness and follow through with security awareness programs, although may not be necessary in many cases.
The above principles have been utilised by Proofpoint Security Awareness in various ways to mitigate risk, reduce operating expenditure and support privacy compliance. These tips will support your organisation or users to take note of your security awareness program in a positive way that will garner sustainable results for the entire organisation.
Educating end users can be a very powerful strategy in creating a robust workforce, ready to take action. To learn more, sign up to our upcoming webinar on Tuesday the 18th of August at 12.30pm: