Beyond Phishing: Cultivating a Culture of Cybersecurity through Comprehensive Cyber Awareness Training
Time and time again we learn that humans remain the most weak defence when it comes to security, whether it is social engineering or physically entering the building. When designing security controls we cannot factor in a person's tendency to want to help, we're human after all. But realistically, that doesn’t change the fact that we are security professionals who need to protect our IT estates. Security awareness training is commonly used across most organisations, an annual exercise that people tend to dread receiving in their inboxes. Even as a security professional, I find myself dreading receiving it because no matter what platform it is, it never seems to spark enough interest. To engage the workforce and really build a cyber culture that extends the physical perimeter of the office, we need to rethink the way we complete cyber awareness training.
How do you balance delivering thorough cyber awareness training whilst keeping it interesting to staff?
Make it interesting
I’ve found that employees have varying levels of interest when it comes to cyber awareness, either really curious, completely disengaged or apathetic. I believe that cyber awareness programmes can be tackled by sparking curiosity and being interesting. There are many people who are guilty of binge-watching entire seasons on Netflix within days, why? Because it's interesting, based on how the series is written they are hooked, it is appealing to their curiosity. This can easily be replicated when it comes to delivering training. Sure, you have the compliance checkbox for completing online training. But why not make it practical and follow up with an interactive ‘lunch and learn’ session on a real-life case study? In the past, I have created training exercises walking employees through how a cyber attack could be carried out, including real-life examples. Though simple, it crystallises how easy it is to conduct an attack, especially from something as innocent as a mouse click. By illustrating how easy it is for an attacker to strike, it temporarily grants the workforce access to our world as security professionals and highlights how crucial their role is in keeping the organisation safe. There’s nothing like the shock factor for engaging your workforce. When choosing case studies, I also stay away from cyber attacks on organisations and opt for attacks geared at individuals, like direct deposit scams that target employees, house buyers and renters. This makes it more relatable because you see the victim as similar to yourself or someone you know.
Divide and conquer
When delivering training, ensuring that you have a niche audience is essential. Without a doubt, there will always be someone in the audience who believes they couldn't possibly fall victim to a cyber attack, so disengage. When designing your sessions, consider separating the training by job function to make the training more impactful. For example, the differences in risk exposure between a sales executive and full stack developer means that they need to be educated on them separately. For example, a sales executive may be more susceptible to social engineering attacks because they engage with external parties regularly and may have the pressure of meeting sales targets for example. Whereas a full stack developer has the responsibility of secure code development so must be aware of the risks associated. When delivering training to job functions rather than entire workforces it is easier to give relatable examples. You’re more likely to keep everyone engaged when everyone is able to contribute to the conversation. Aim for depth when it comes to delivering training, that’s where lasting change is made.
When building a cyber awareness culture, the most important thing is keeping the conversation going. Ensure that employees feel comfortable asking the security team questions and that the channels of communication remain open. This ensures an existing rapport when future changes are enacted, reducing the likelihood of a disengaged or apathetic workforce.
