Employees are often the first line of defence against cybercriminals, but despite in-house anti-phishing training in an increasing number of companies, many keep clicking. Why is that? In most cases it is not a deliberate action on the part of the employee, unless they are an aggrieved former employee that still has access to the company system. It just means the in-house training, or in many cases, random email warnings, have failed to hit home.
Instead, employers need to rethink their security awareness training strategy and appeal to their employees’ hearts and minds. In a thought-provoking session at the CompTIA EMEA Member and Partner Conference in London, Darrender Jordan, founder of DJ Communication and Transformation said many security awareness activities fail because they don’t appeal to the human side of employees.
“Companies need to stop ticking boxes and start touching hearts and minds,” she said. “Awareness is not the issue. We all know that cybercriminals exist. Human behaviour is the issue. This is about people, not technology.”
Jordan explained that for hundreds of years we have focused on knowledge being the key, but security is about more than technical knowledge. People need to be engaged and motivated, and there needs to be an urgency to change behaviour.
Employees are suffering from information overload, everything is being thrown at them on top of their everyday job, she explained. This ultimately leads to inertia, similar to when people make New Year resolutions. The momentum stops, things become too much of an effort and the human brain shuts down.
Changing Behaviour
The question many business leaders may ask is ‘how do we change behaviour?’ Jordan said.
The key is with support from the leadership team at the very top—everyone needs to be a part of it—and ensuring you have the right tools, processes and procedures in place.
“The success or failure of a security policy hinges on the leadership team working and adhering to the rules,” she warned. “Use the voice of a company leader, if the CEO doesn’t say cybersecurity is important, nobody will listen.”
“Make it personal. If an audience doesn’t understand the why, they will never buy into the what,” added Jordan. “Use protection motivation theory by showing them pictures of what will happen to really scare them. But then show what they can do and give them the tools to protect themselves. This will help to change behaviour.”
Another tip Jordan suggested was to step into the shoes of your employees or your audience by trying to think like them and find their intrinsic motivation. If you adjust the messaging to their interests and knowledge and adjust the tools to their needs, they feel more comfortable and will be more aware of what to look out for.
Tools are important, but so is consistency, she explained. Ensure you have campaigns and updates on a regular basis. Keeping people updated and ensuring they know what is going on, will help keep awareness heightened.
Also encourage people to think for themselves.
“Make people see why you are doing what you are doing by holding workshops,” Jordan suggested. “Don’t tell people what to do but make them think about it. Let them research the topics and discover content, they will come up with ideas and feel part of everything.”
Live demonstrations shouldn’t be ruled out. “Real time demonstrations of cyber ‘insecurity’ are often engaging and effective and will stick in people’s minds,” she said. Finally avoid playing the blame game if something does go wrong. It is extremely rare that a human error is made on purpose to deliberately sabotage a company.
“If someone clicks on a link, don’t blame and shame,” Jordan said. “Encourage them to share their story and explain what they did, how it happened and how it was resolved. This could happen to anyone.
“It is OK to admit you have made a mistake, rather than hide it,” she added. “People need to feel that they can come forward immediately. Hiding these mistakes is where to real problems can start.”
Apply these tips with your employees and your customers.
Read the CompTIA Community Cybersecurity Guidebook for MSPs for more tips!