We’re not shy of over-emphasising the obvious. Cybersecurity doesn’t begin and end in the IT department. If your organization treats cybersecurity solely as a battle between IT and malicious, unknown outsiders, you’re ignoring one of the most significant threats: your own employees.
More than half of data breaches are caused by insiders, including employees, third-party contractors, and partners, according to IBM’s 2015 Cyber Security Intelligence Index. The vast majority of those are purely accidental, with no ill intent. In fact, some 95 percent of insider threats are simply the result of human error. From falling for a spear phishing campaign to mishandling confidential information, even a seemingly small mistake can open the door to a massive cyber attack.
To our delight, many organizations have launched cyber awareness campaigns to inform employees of the potential risks and encourage safer online behavior. But information alone is not enough, which is why many of these campaigns fail. An effective defense strategy requires a thoughtful combination of hands-on training, education, employee buy-in, and innovative technology that can identify risks before they become real threats.
Why Some Awareness Campaigns Fail
Cyber awareness campaigns differ from one organization to another. Some are as simple as a one-day training workshop; while others are structured as more comprehensive, long-term education programs. Still, there are some common reasons why awareness campaigns often fail to change employee behavior:
Training programs that use IT language do not resonate with the masses. Employees need to learn about security risks in plain language, and the examples must be relatable to their work and online social lives.
If you’re using generic slides and videos, rather than explaining why a safer online behavior is important to the company, to the industry and to individuals, employees will probably treat the training like just another boring session they have to attend because the boss said so.
Scaring employees by offering doomsday scenarios can be ineffective or even counterproductive. Many people simply don’t respond to what they perceive as threats or harsh warnings.
Pumping employees full of information in too short a period of time can lead to frustration. Some employees might abandon good security practices before they begin because they feel overwhelmed.
They die hard. Even if your message resonates during training, it’s easy for employees to fall back into their own ways when the program ends, particularly if training messages aren’t reiterated later.
Building A Campaign That Works
According to a joint research paper from the University of Oxford and University College London – “Cyber Security Awareness Campaigns: Why do they fail to change behavior?” – security education has to provide more than just information. It needs to be targeted, actionable and doable. Not to mention, it must also encourage employee feedback.
Cybersecurity campaigns must be designed specifically for the audience you’re trying to reach, and participants must leave the training with clear instructions on the next steps to take. Those steps must be simple and manageable enough to be embraced, and organizations should follow up with employees to gather feedback on how the process is going and where assistance is needed.
The paper also noted that successful cyber awareness campaigns include multiple training exercises that emphasize many facets of security, rather than single sessions addressing just one topic or threat, and that they include an assessment component to evaluate how the training has affected employee practices.
Prior to launching a security awareness campaign, some organizations employ creative methods to ensure they’ll ensure employee attention from the onset. Organizations can run mock phishing campaigns, for example, to find out how many employees click on a potentially malicious link without even knowing it.
Armed with this data, it’s easier to show employees that serious risks exist. It’s not a good idea to name employees who fall for the ruse, but providing group data is valuable to understanding risks.
Bank of England infused creativity into their awareness campaign: The bank had stickers of what looked like cracks which they stuck on the building walls. These started off as small cracks and over time (every week or so) grew larger (they changed the sticker).
There was no mention of cybersecurity or awareness, nor was there any explanation. This worked magically as it became the talk of the hour within the bank and so when it was announced everyone just kept talking about it… Who said cybersecurity and marketing are worlds apart?
Show Me the Money, Awards and Recognition
Including monetary incentive also gives cybersecurity awareness an edge to really encourage education and participation. Incentive programs can range from rewarding employees – depending on their job titles and functions – for finding a virus, reporting a phishing email, taking a course or reading a security publication. Using a points system that builds toward redeemable rewards is also a good model. The U.S. government even incentivizes companies with insurance, grants, process preference and more for instituting cybersecurity framework.
Another creative, yet effective solution is to implement a countdown timer on emails. The visible 10-second countdown gives employees an extra opportunity to think about what they are sending and if it crosses any lines that might put a company at risk. A tangible device holding employees accountable encourages thoughtful practice of safe cyber habits. Same can be done for causing employees to think twice about clicking on risky links or downloading tempting tools and apps.
How about the thank you. After an employee reports suspicious activity or possible cyber threats, an IT team should send a personal thank you and copy that employee’s supervisors. This fosters a considerate environment and with just a few words shows that cybersecurity awareness is greatly appreciated.
Cybersecurity is a difficult world to navigate because it is so multi-faceted, and because new threats are constantly emerging. Smart companies rely on a combination of employee education, processes and technology to keep hackers out, implementing strong cyber awareness programs along with iron-clad technology and best practices.
Continuous self-testing of your organization’s ‘CyberReadiness’ is a game changer, ensuring the upper hand remains with the protector, you! For cybersecurity to be effective it needs to adapt to the challenges posed by a growing digital footprint. What’s needed is an all-encompassing approach.