Everyday all manner of hacking tools, malware variants, and cybercrime services are being offered for sale in the cyber-underground. Yet in many situations, it only takes a well-crafted phishing email or a simple mistake to turn a quiet day into an eventful one.
Technology like antivirus and firewalls are part of the solution to this problem. The other is a workforce in which individuals follow security best practices that promote data privacy, compliance, and good security hygiene. Creating that workforce is the task of security awareness training. But talking about a human firewall is much easier than building one.
Take this 2018 report from SplashData for example. The researchers examined millions of passwords leaked online and found that “123456” was once again the most commonly found password. Getting users to think about cybersecurity and take the best practices they learn with them as they take their work and devices outside the office remains a challenge.
Part of solving this problem involves ensuring that security training is relevant to the role of the individual receiving it. But making security awareness stick takes a little extra effort.
Nurture versus Nature
As the password study mentioned above showed, many people may not naturally choose the least risky behavior. However, with the right amount of nurturing, that problem can be solved. Here is some advice for security awareness managers to help encourage the types of behaviors that strengthen security.
Be true to your culture: Security training can be fun and entertaining, but don’t force “fun” down employees’ throats.
Reward good behavior: People respond to incentives. Monitor participation in the awareness program, and reward individuals that display the actions you want. Consider handing out titles like ‘Privacy Hero’, and call out good behavior in a public forum, such as a department email.
Get high-level support: Buy-in from executives trickles down to other levels of the business. An engaged leadership leads to a more engaged workforce.
Establish a culture of support: Fixing risky behavior doesn’t necessarily require a severely punitive approach. Some mistakes can be called out by coworkers in a way that is effective and not overly confrontational.
Use employee policies to promote security: As employees join the organization or take on new roles, make sure they are educated in any changing privacy requirements or risks they may be dealing with in their new position.
Change does not happen overnight, nor is it always a simple process. By treating security and privacy awareness training as a continuous exercise and reinforcing the behaviors you want however, your organization will see a difference.