Each year you invest in a new cybersecurity awareness initiative— with a large focus on security training.
But despite dumping big dollars into educational videos and resources, you’re not sure it’s all worth it. Employees and management dread the program, complete the bare minimum to pass and rarely retain anything they’ve “learned.”
If you’re feeling like your team isn’t getting the most out of your high-spend security program, the awareness content might not be the only problem...
Here are a few other reasons your training is falling short:
1. You create panic, instead of deep understanding.
It’s not uncommon for IT Managers or Security Awareness Program Owners to roll out their annual cybersecurity training as a requirement. Quite frankly, employees only have themselves to blame for forcing IT to make it mandatory, since they’re dumb enough to fall for security attacks— or at least that’s often the perception.
Security Awareness Program Owners share news stories about the big, scary threat landscape and all the crazy ways hackers are tricking businesses. Of course, these stories sensationalize the disastrous financial and reputational repercussions of said breaches and paint the targeted employees as the bad guys for being easily duped. Employees compare themselves to these foolish victims who should have known better than to fall for a phishing scam.
As a result, you push a culture of FUD (Fear, Uncertainty and Doubt) that makes your team believe you find them untrustworthy. Your team thinks the stories are exaggerated and becomes bitter that you don’t trust them to uphold your security. This creates a general resentment and distaste towards the security initiative. Instead of having an open mind to the training, your team begins with a bad attitude, ready to get it over with to get you off their backs.
What Works Instead
Instead of pushing your security initiative as a FUD campaign, incentivize it. Even if it is a mandatory measure, encourage and reward your team for a job well done instead of highlighting all the things they’re doing wrong. Internally you can analyze their mistakes and push supportive exercises to help them improve, without shaming them for struggles.
It’s important to create a culture where you prioritize understanding over completion of your lesson plans or modules. Anyone could play a few videos without listening and cheat on a recap exam to check the box of “finishing” a course. But by creating a sense of enthusiasm and genuine support of learning you are empowering them to sincerely learn!
2. You give employees security awareness, which is not what they care about.
IT Managers and Security Awareness Program Owners know the problem, alright? It’s obviously that their team doesn’t know any better! They’re ignorant to cyber threats and need to be educated. They need to be made aware of risks. Only then can they appropriately spot and report them.
What you may not realize is this isn’t the only problem.
To be blunt, many employees don’t care about your company’s cybersecurity. To them, that’s IT’s job— while theirs is to focus on what you hired them to do. They’re not interested in learning about or upholding your security because they’re not invested in it.
What Works Instead
What they are invested in is their own personal security threats at home. If you can talk about threats in a way that appeals to them personally, your team will learn for their own individual good— as well as the good of your company.
This may involve a slight pivot in messaging, wherein you speak to each departments’ and each human being’s interests. Instead of teaching them about privacy settings for your business, appeal to their desire for better privacy for their children’s online browsing and show them ways to modify it there. Or explain how malware may compromise their personal banking in an effort to help them understand how to better protect your financial information. Don’t be afraid to speak to the concerns of each individual department too, by painting examples that apply to them specifically.
3. You stop short of changing behavior.
Passing a cybersecurity awareness training program is one thing; applying what your team has learned is an entirely different ballgame. Many businesses forget this crucial next step, thinking of their team’s training completion as the end-all-be-all. Employees completed the course and know what to look out for— now the Security Awareness Program Owner's job is done until next year’s training!
The problem with this mindset is that sometimes knowing is not enough: doing makes all the difference. Your team could know they should use the password management software you implemented, but if they’re still storing passwords in a Word document because it’s easier than learning a new tool, that knowledge alone does you no good!
Do you have your security policies clearly spelled out with ways to track your team’s compliance to them? One study featured in Forrester’s 2021 report showed that only 27% of global information workers claimed to be aware of their current security policies, while 8% admitted to straight-up ignoring or going around their security policies!
What Works Instead
A certificate showing that team members passed your awareness training program is great and all, but how are they applying what they’ve learned? It’s up to Security Awareness Program Owners and IT Managers like yourself to lay out specific policies and proceedings for how your team will support your initiative after the program is complete and the rest of the year awaits.
After you roll out your updated annual security policies and get your team on board with behavioral changes, it’s also your job to track the impact they’re having on your security initiative.
But we know that security success metrics can be hard to define and measure, and many organizations struggle to keep up with progress. Still, in order to show that all-too-important return on investment to execs and get budget approval for next year’s training, you need proof it’s moving the needle.
What Works Instead
It’s time to get serious about tracking! It’s only after you have data about your security initiative’s success that you can analyze it and make positive changes.