The intention of this year’s Cybersecurity Awareness Month theme, “Do Your Part. Be Cyber Smart.”, is to promote and encourage accountability at the personal and corporate level. While the sentiment is solid and the tag line is catchy, it’s important to acknowledge that this is more complicated than it sounds.
It would be lovely if just the command to ‘be smart’ were enough to make it so. However, educated, responsible decisions about cyber security require an understanding of the ‘why’ and ‘how’. Simply put, if organizations don’t provide the context, information, and tools needed for effective cybersecurity training, they are setting themselves and their employees up to fail.
Missing the Mark
Awareness alone is not enough. It has to be paired with proper education to be successful. At the corporate level, many organizations provide cybersecurity training/education. Whether it’s to fulfill compliance requirements, reduce possible liability, or to protect the organization’s assets, there are enough motivators for companies to do their level best to educate.
Unfortunately, there is a large audience of employees that are just not getting it. An alarming 43%* of employees are not aware that clicking on a suspicious link or attachment in an email can introduce malware. That means a key pillar of good cyber hygiene training is not sinking in. Additionally, 59% * of employees are not confident they could identify a social engineering attack. Let that sink in. More than half the employees surveyed don’t think they could spot a malware attempt, even if they wanted to. Perhaps part of the problem is a lack of willingness or buy-in when it comes to training.
Don’t Skip the ‘Why’
While personal accountability is a crucial component of cybersecurity awareness, it falls to organizations to motivate their staff to be accountable. You can provide the best cybersecurity training in the world, but for most humans, if they don’t understand why they need to do it, they either won’t do it or won’t do it well. Convey the importance of cybersecurity training by explaining what is at stake and how truly important the employee’s role is in protecting the business.
- Do your employees understand that one errant click of an email can cause a data breach that could ruin the company’s reputation and financial well-being, thus putting their job at risk?
- Do they know that 94%** of malware is delivered via email, so all email is guilty until proven innocent?
- How about the fact that attacks on IoT have tripled***? Cybersecurity training isn’t limited to their computer.
Employee buy-in is vital for successful training. The clearer you paint the ‘why’ picture, the more inclined employees will be to take training seriously and make it a point to absorb the information. If you skip the context, you are essentially throwing a portion of your training budget down the drain.
How to Provide the ‘How’
Looking at the employee stats above, it’s fair to say that something is missing in the business world’s collective attempts to provide cybersecurity training and education. Perhaps it is a lack of context or motivation, as discussed previously. Maybe some organizations are not requiring training or enforcing those requirements. Or the problem could be in the training itself, which can often be boring and unengaging, failing to keep the employees’ attention.
Another theory is a simple lack of time. If employees are required to complete cybersecurity awareness training, are they being given time to do so? Often that is not the case. When organizations do not carve out time for training, they are inadvertently implying that this “requirement” is not really that important. To signal the significance and help ensure the efficacy of cybersecurity training, organizations need to following these steps:
- Get buy in and explain the ‘why’ before rolling out training.
- Provide easily accessible training from a reputable vendor.
- Ensure the training is engaging and require testing to promote comprehension.
- Provide allotted time for the cybersecurity training, where employees are not multitasking but forced to focus on the training content.
Organizations know that when it comes to training, you can lead a person to knowledge but you can’t make them think. However, you can inspire them to care and you can make the process as painless as possible. Those combined efforts will help close the cyber education gap, empower your employees, and make it harder for cyber attackers to infiltrate your organization in the future.