“Don’t click there. Don’t do that.” Employees know the drill. Cybersecurity teams hope these warnings will keep employees from doing something that will put the organization at risk. And, rightfully so. Research conducted in 2016 showed that 91% of cyber-attacks start with a phishing email. The number of insider threat incidents has also increased – by 47% over the last two years. Whether there is malicious intent or not, statistics like these are why security teams view their employees as a gateway for hackers to infiltrate the network.
In 2020, enterprises have undergone enormous change. Many employees now work from homes spread out around the globe. The pandemic has created a fundamental shift in how workers connect to their company networks, use their company-issued devices, and complete their tasks.
With all of these additional distractions, ensuring your teams are cyber aware is more critical than ever before. Will they be as diligent and cautious in the comfort of their own home? Will the vast increase in access points give attackers another advantage in this never-ending chess match?
With all these changes, it’s time for a new approach to cybersecurity awareness training.
Here are four ways to create training that positions employees as the first line of defense:
Empower your teams
You’ve made the technology investments to make breaching the organization through traditional IT methods complex and challenging. So, cyber criminals may take a different route – hoping an employee will make a mistake.
Show employees that attackers aren’t just throwing darts at the wall, but they’re specifically targeting certain employees for certain reasons. Based on each person’s role, have them think about what they have access to? What things they may be saying publicly, perhaps on social media, that could be used against them or the company? How could that access be beneficial to a hacker? As an individual, an employee can make an enormous impact on an organization – both positively and negatively – when it comes to cybersecurity. No one wants to be the weakest link. Empower everyone within the enterprise to view themselves as the armor on the perimeter that can stop attacks before they start.
Provide insight on the adversary
Many current cybersecurity awareness training programs tell employees about the warning signs to watch out for. But for this training to resonate, employees need to understand why these attacks are occurring in the first place. What are attackers trying to do? How are they trying to do it? Take them inside the mind of the adversary. Show them the research, reconnaissance and how campaigns are designed and customized for an individual employee – using their emotions and behaviors against them. When your teams see the details from the attacker’s vantage point, they have a stronger grasp of the situation and are more well-positioned to discover these tactics when the attack attempts occur.
Make it real
Training must be relevant to each employee’s role and each company’s industry. How do you translate the impact of a cybersecurity breach to workers within a manufacturing factory or power plant? Make it real. IT and OT (operational technology) environments are more digitally connected than ever. While that has many benefits for production and efficiency, if a breach happens on the IT side, that connectivity means an attacker can pivot laterally – shutting down systems, causing physical damage and impacting people and communities at large. To show employees the impacts of this converged risk, speak their language. Ensuring physical safety means ensuring cyber safety. What should workers be aware of? What does a potential breach or hacking attempt look like – in the world of OT?
Create a cyber-aware culture
From the top down, leadership must speak about the importance of cybersecurity – not just during cybersecurity awareness month, but year-round. Creating a culture that champions good cyber-hygiene and prioritizing it within every new technology implementation or business transformation will resonate with employees. Leading by example with a progressive approach to training can earn buy-in from the organization more effectively.
The training that instills fear (bad things can happen, so don’t click here and don’t do that) does not resonate. It’s time for security leaders to translate the risk of a cyberattack into normal terms. Risk is around us all the time, but employees who are situationally aware will always have cyber safety in the back of their minds. Focus on culture, applicability, education, and empowerment.