Close to half of businesses say their employees wouldn’t know what to do if they received a phishing email. According to a US government-backed study, one of the main reasons for this problem is “waning engagement and growing indifference” towards cyber security training. While organizations continue to throw money at providing cybersecurity training — employees just aren’t paying attention.
As a result, despite hundreds of hours of security awareness training sessions, webinars, and classes each year, the lack of employee engagement is keeping risk at an all-time high. Sound familiar? This article looks at what organizations should do instead.
More Content ≠ More Engagement
Many security awareness training programs today are putting an oversized focus on the amount of content they provide, and expecting an increase in content to equate to a reduction in risk.
The mistake is clear: security leaders are ignoring the engagement gap. Organizations see that the number of phishing attacks is rising, so they respond by implementing more training, more classes, and more content. This is like dropping someone off at the New York Public Library on hearing that they have a knowledge gap or a challenge to solve. Sure, the answer is in there somewhere — but you have done nothing to help the person find the right book or the right chapter, and actually engage with the content in the first place. For all you know, they never reached for a book at all, and simply sat enjoying a slice of red velvet cake in the welcome cafė.
Similarly, it doesn’t matter how much content you put in front of employees if they aren’t engaging with it. In most cases, employees are ignoring the training webinar you signed them up for, the mandatory security teleconference, or the phishing awareness class, and simply getting on with their own work in the background, knowing that they have been marked compliant simply by showing up. The Department of Justice calls these kinds of compliance efforts “paper programs”, where organizations have spent money on all the components of training, but it hasn’t been “designed, implemented, resourced, reviewed and revised… in an effective manner.”
This is why close to one-fifth (19.8%) of employees fall for phishing scams, even if they have gone through comprehensive training.
Creating Security Awareness Training that Works
To combat the engagement gap, organizations need to turn away from adding more and more content and think about how to actually engage employees with the content they provide. To maximize engagement and learning, security awareness training must be focused on three key areas:
1. Culture
Instead of a culture of testing employees, which conjures up the image of employees passing and failing or being put under the spotlight — think about providing your employees with a culture of learning instead. This is a more positive approach that allows for mistakes without fear of consequences.
You should expect to see spikes in performance, as learning is not a linear journey. Improvement will come with ups and downs. Remember, if employees fall for a simulation, this is not a negative sign, it’s just an opportunity for them to learn.
2. Process
Delivery is really important when considering engagement. As security is not a core part of everyone’s job, training needs to respect employees’ time, arriving in the flow of their day-to-day work. Instead of bi-annual webinars, think about implementing continuous training that provides time for practice and introspection as part of employees’ regular working environment, for example directly in their email inboxes.
Only you know your employees, your industry, your organization, and your business context. Rather than buying a security awareness program that is delivered as standard out-of-the-box, look for a vendor that allows you to construct your own scheme in the way that works f
3. Content
Finally, think about the content itself — not the volume of it, but what kind of content you use to train. At CybeReady we recommend short nuggets of microlearning, between 30-45 seconds each, written in easy-to-understand language which is free of jargon and localized to each user.
Your content should also be contextual to your business needs, considering the different risk groups, roles, or behaviors of your employees, ensuring that training is both impossible to ignore and truly makes a difference.
Interested in shifting from a content-based strategy to one that focuses on delivery and engagement? Speak to an expert about our autonomous cyber security learning platform.
