When you're planning your employee cybersecurity training, consider the tone you're setting. Which statement from a leader would motivate your end users to make some changes?
“All of you represent the weak links in our security system.”
“Our team needs every employee to be a leader on cybersecurity. Each of you is key to protecting our business.”
Easy choice, right? Not so much in the IT world. Despite everything we know about human motivation, we still constantly hear IT and security leaders trying to shame end users into taking cybersecurity more seriously. Everywhere you turn, training materials call end users “the weakest link” in the cybersecurity plan. It’s especially common in marketing materials and social media posts from security awareness and training providers.
We’re not saying it’s untrue to say that end users are involved in most attacks. But we are saying it’s counterproductive to build cybersecurity training that sees people as a liability rather than asset.
Research shows that about 80% of successful data breaches involve some form of social engineering. But how many of your employees will eagerly embrace a defense-in-depth security culture if you approach them as the problem instead of part of the solution?
Rather than viewing your employees as a weak link to offset, enlist them as frontline defenders. Call them an extension of the security team. Pump them up as a critical piece of the overall data protection effort. Show them that they can personally make your organization safer.
Changing your mindset—and building it into your cybersecurity training—provides a solid cornerstone for building a successful awareness and training program that your user base will embrace.
Plan Effective User Training
Recently (though not for the first time) we saw a social media post stating–with passion!–that training end users to spot phishing e-mails is a waste of time and resources. Wrong answer. Training and simulated phishing campaigns work—if they’re well-planned, well-executed and given time to work.
Here are a few ways to create training and testing programs that get buy-in from your team:
- Measure progress. Make a detailed plan for measuring your end users’ baseline knowledge and for measuring their progress after training. The baseline information will help you plan training with the proper relevance, timing, sophistication, etc. How can you deliver appropriate training and testing if you don’t know what most of your users already know? We’ve created sophisticated phishing tests with e-mail messages that fool all but the most attentive IT professionals. Anything less would’ve been too easy to truly test the targeted users. But such a difficult test would’ve completely missed the goal if it was aimed at workers who rarely use e-mail.
- Set realistic expectations. Aiming for a zero “click rate” on the simulated phishing messages is unrealistic. Phishing training aims to dramatically lower click rates, not achieve a perfect score. While you may get a zero click rate on an individual phishing campaign, it is highly unlikely over multiple campaigns. The takeaway: Publicly congratulate your users for improving their phishing awareness during your next campaign. Don’t chastise users for failing to get a perfect score.
- Include EVERY user. If you excuse senior leaders from a phishing training program, your end users will know it. And they’ll naturally think, “If the people at the top don’t care, why should I care?” Then the stats from your company’s phishing training and overall awareness/training program will show this attitude. You’ll see more people clicking on simulated phishing messages, and you’ll see people spending less time spent consuming awareness and training materials. Your security culture must start very publicly at the top.
- That means you need to include IT and security teams, too. Even highly trained security and IT professionals fall for phishing e-mails. Include those users in your tests, even if that means customizing the test messages to reflect each user group’s sophistication level. This case study shows how one Pratum customer tested its IT team with some of the most convincing simulated phishing e-mails we’ve created yet.
So, let’s treat end users as frontline defenders, provide testing in a way that engages them, and view phishing training as a control with some of the best ROI in the security business. Ultimately, these will improve your organization’s overall awareness and training results and help with your “security bench strength.”
For help in planning a training program customized for your users’ needs, contact Pratum today.