Last year, cybercrime cost more than $13 million per company, a 12% increase from 2017 and a 72% increase over the last five years, according to a report by Accenture and Ponemon Institute. Executives rated “accidental publication of confidential information by employees and insider attacks as having the greatest impact” on their businesses. While training employees in cybersecurity awareness is more important than ever, researchers found that “training employees to think and act with security in mind is the most underfunded activity in cybersecurity budgets.”
Training Industry’s new risk management model, the Training Industry Typology of Organizational Risk™, identifies four types of risk modern organizations face, including risk to resources such as software as well as risk to intangible assets like data and proprietary information. The model also highlights the role that learning and development must play in reducing organizational risk. The growing threat of cybercrime is one of the best examples of this reality.
Unfortunately, we know that when it comes to compliance training, standard “check-the-box” e-learning isn’t cutting it. “It’s terrible,” says Masha Sedova, co-founder and chief product officer of Elevate Security, of traditional cybersecurity awareness training. “It’s once-a-year, one-size-fits-all, cheesy video training. No one, and I mean no one, likes it. Not the CISO [chief information security officer], not the security awareness practitioner and definitely not the employees.”
Elevate Security raised $8 million in February for its “Security Behavior Platform,” which “measures, motivates and rewards employee security behavior change.” Its virtual learning experience, “Hacker’s Mind,” enables learners to walk in a hacker’s shoes, better understanding cybercrime and motivating them to prevent it. Sedova says that, by making training more engaging, her company has seen the rate of employees’ detecting and reporting phishing attacks increase by five times, or 400%.
Similarly, the OpSec Cyber Security Institute helps learners “understand the motivation [that] threat actors have on a personal level, [which] helps them think outside the box when investigating breaches or other network incidents,” according to founder and chief technical officer David Spivey. He also recommends providing one-on-one instruction as well as hands-on workshops to better engage and educate learners.
“Make it mirror real life,” says Mike Hendrickson, vice president of technology and developer products at Skillsoft. “Being able to provide the opportunity to roll up [your] sleeves and test yourself with hands-on practice involves the user and makes them more engaged.”
“Please go beyond ‘check-the-box,’” says Kathryn Brett Goldman, CEO and founder of Cybermaniacs, in a plea to the industry at large. Her company takes the approach that using “humor instead of fear, guilt or shame” can improve people’s security habits and uses short videos featuring puppet characters to bring an unconventional feel to cybersecurity awareness training.
“We think humans are motivated by positive messages,” Goldman says. “We don’t think that ‘hackers and hoodies’ and the fear, uncertainty and doubt is working really well.”
Furthermore, with the diverse audience training must address, an audience that’s busy and multitasking and bombarded with content, Goldman notes, “You need short bursts of micro-training, even … what we like to call ‘nano-content.’”
Adding Training to the Cybersecurity Budget
“Bringing a workforce up to speed on cybersecurity issues is not a one-and-done training seminar,” says Spivey. “It requires a top-down leadership commitment to provide a training program with proper funding and a regular, repetitive timeline.”
Unfortunately, Goldman says, “Even though the spend on cybersecurity overall has been increasing year over year, it just mostly seems to be going to the tech side, which I find shocking, because it’s estimated that 80 to 90%of cyber breaches have a human element at the root” – meaning training, not tech, is the solution. She says it’s important for cybersecurity and HR leaders to work with the management team to “figure out what the risk landscape is” for their company – where they are at risk and what they can do to mitigate it. “At the end of the day, I think most companies don’t really know where they stand,” Goldman says.
Measuring the Effectiveness of Cybersecurity Awareness Training
“We’re just about 10% fuzzy,” Goldman says. “If you actually look underneath the hood of what we’re doing, we’ve put together a human-centric and data-driven approach to the cyber-awareness problem.” Understanding people’s behavior – and then measuring it – is key to changing any behavior, including cybersecurity behavior.
Too often, Sedova says, companies measure compliance training for completion – after all, that’s all they need in order to stay compliant with regulations. But the true measure of training success is whether your organization is actually more secure as a result. Did training result in reduced clicks on phishing emails, increased use of password managers or malware protection, or better protection for sensitive data? Those results are where you’ll see a return on your cybersecurity awareness training investment. Measuring behaviors will also help you pinpoint which employees need more training.
By providing a culture of continuous learning and awareness, you can manage cyber-risk, protect your assets and your employees, and create a more successful organization.