The COVID-19 pandemic unleashed cybercriminal activity and created a surge in cyber attacks. With so many employees working remotely and with so many new processes and so much uncertainty, nefarious actors continue to take advantage of the chaos. Cybersecurity awareness training is no longer reserved for financial institutions or hospitals. All organizations need it in order to prevent successful attacks — because if a business has money transactions, it is a target for criminals. Yet, cybersecurity training has not evolved to meet the current needs of an ever-changing workforce and its new work conditions.
Effective cybersecurity training is more important than ever, because attacks are increasing, and organizations have shifted to more remote work, leaving companies even more exposed. During the early months of the coronavirus pandemic, phishing websites multiplied exponentially, and phishing attacks surged by 667%. Despite this trend, companies are going through the motions of cybersecurity awareness training, just ticking a box to fulfill a regulation. Organizations need more role-specific, engaging and consistent training to combat the current risks of cyber breaches.
Changing Behavior Requires More Than the Minimum
To be effective, cybersecurity training must change behavior. Mimecast Limited recently released a report that found that employees are knowingly disregarding and going around security measures. One-third of surveyed employees who had attended security awareness training admitted to disregarding security policies. Until organizations change employee attitudes about roles and responsibilities, employees will continue to see it as someone else’s problem, not their responsibility.
Unfortunately, there is a disconnect in how cybersecurity evolved and what it needs to accomplish. Most cybersecurity programs have grown out of regulations on security and privacy issues, including payment card industry (PCI) compliance, Health Insurance Portability and Accountability Act (HIPAA) compliance, Family Educational Rights and Privacy Act (FERPA) compliance, and General Data Protection Regulation (GDPR) compliance.
When cybersecurity training is seen as a checkbox or a compliance obligation, then the goal is the minimum required to satisfy the requirement. In such a scenario, if 98% of the staff have a 30-minute annual review of cybersecurity, their training requirement has been met. From a behavior and security perspective, however, those staff members are rarely implementing the knowledge they were supposed to know or demonstrate.
One reason for the current disconnect in cybersecurity training is that the delivery method for compliance training is generally ineffective for training aimed at behavior change. Organizations rely on outdated content delivery approaches, such as lengthy presentations followed by assessment testing. This archaic method does not support how the modern workforce processes information. According to a SHIFT eLearning blog post, research has found that today’s typical employee works on a task for about 11 minutes before being interrupted by a phone call, an email or a co-worker. Within that span of 11 minutes, he or she engages in multiple short, three-minute tasks. “If the task involves consuming digital information,” the post continues, the average worker “spends just 20 seconds browsing one piece of content” before moving on to the next.
Making It a Priority
A common hurdle that companies experience is the idea that it cannot mandate training and should, instead, make it voluntary. But, if a company or organization cannot work through the red tape of making cybersecurity training mandatory, how will employees ever see it as core to their job or as a priority to the company? If leaders treat cybersecurity training as an optional afterthought, employees will treat it that way, too.
Within the training industry, a common challenge is motivation: how to train an employee who simply doesn’t care. When it comes to cybersecurity training, removing training from the traditional compliance “check-the-box” track is one way to demonstrate its importance. Making it mandatory is another way to show that the executive leadership is in full support and wants everyone involved in cyber education. In addition, activities that are regularly measured and monitored become a higher priority, and if training is consistent, shorter and more engaging, it can inspire more attention and create more impact.
The Fear Factor
Finally, the cybersecurity industry generally focuses on the fear factor to create urgency and awareness — but fear doesn’t work in the long run. Effective training moves beyond initial scare tactics to empowerment. Investing in improving employees’ knowledge and giving them a sense of responsibility over their actions, and an understanding of how those actions can impact the whole organization, will create lasting change.
Thirty years ago, there was a huge push for safety within manufacturing industries. It became the top priority. Teams would have safety meetings and share the number of days they went without an accident within the facility. This approach brought the idea of safety to the forefront and made sure all workers knew it was the priority.
Cybersecurity is the new safety message, but it is still transitioning and finding its way to an essential cultural place within most organizations. Here’s how training can help:
Microlearning is an approach to training that changing the traditional model. It involves breaking content into bite-size chunks and testing learners on each small piece of information, results in deeper engagement and yielding better results than traditional training methods.
In a study conducted by Dresden University of Technology, reports a Grovo blog post, students taught using microlearning-style assessments performed 22.2% better than the other group of students. In addition, they took 28% less time to answer questions and performed 8% better on a comprehensive exam.
A highly effective approach in today’s cybercrime-threatened workplace is to combine microlearning with gamification, which involves the application of typical elements of games (point scoring, competition with others, rules, etc.) to learning. Contemporary workers respond well to gamification, not only in terms of motivation and productivity but in their overall relationship to the organization.
In the modern workplace, it is essential to provide employees with the information they need to help prevent cybercrime — and to provide it in ways that ensure the employees remember and make use of it. Properly applied, gamification and microlearning are tools that can make a significant difference not only in employee engagement and satisfaction but in overall corporate security.
The cybersecurity training industry has become lazy — over-commoditized, competing only on price and even lowering the price so much that it has created a real imbalance. Today’s organizations need better, more engaging platforms to carry the message to the whole organization. Cybersecurity education needs to create behavior change and empower employees to be part of a more secure organization.