Cyber threats are always changing. Shouldn’t your approach to training change, too?
You’d think so.
We think you should.
More specifically, here at Living Security, we think that traditional security awareness training isn’t good enough. Maybe it was once, but the world has changed, and cyber threats have changed, too. What does your organization need to know about this new approach to cybersecurity training? And what can you do, right now, to make that shift to a better, more responsive, more up-to-date approach?
The very first time a user logged on to a system, security awareness training was born. It might not have looked the way it looks now, but from the beginning, users needed to know how to safely log in, what to do with their passwords, and what the best practices were for their organization. From there, the basics of security awareness training emerged, and today, it has been an essential tool for informing users about security topics. The benefits of security awareness training have brought us to where we are now.
Standard, compliance-based security awareness training isn’t altogether a bad idea. It served a key purpose, and the core philosophy of it still stands: People need specific information so that they can do the things they’re supposed to do, and not do the things they shouldn’t. That’s great, actually.
But these days, it needs to go further. Standard security awareness training was developed for a cybersecurity landscape that looks very different from our current one. The need has changed, and so too should the approach to training. What’s more, the whole work experience has changed; employees need and expect more experiences, especially as fewer of them work from an office.
So, what is it about security awareness training today that isn’t working? We’ve identified 5 key factors that need to shift if we want to keep ahead of emerging cybersecurity threats.
Since its inception, the importance of security awareness training has been focused on delivering information, which is all well and good, but the result of this is that most of it is extremely boring. Yes, people need information, but they need to be engaged to really learn.
If you can think back to a class or training you went through that was as dull as watching paint dry, how much of that information did you actually retain? In contrast, if you were lucky enough to have a teacher or professor who was engaging, inspiring, and enthusiastic about their course, we’d bet that class was much more interesting—and you probably retained more information, too.
Standard security awareness training tends to be less than inspiring. Basic quizzes, endless questions, and even outdated videos or materials don’t inspire confidence and certainly don’t prompt engagement or behavior change. That’s not good enough anymore.
Living Security’s security and awareness training platform features professional-quality videos with real actors and compelling scenarios; employees feel like they’re part of a movie. And virtual, teams-based cybersecurity escape rooms provide an experience that brings the team together to learn and solve puzzles together.
Many organizations and industries are required by law to undergo security awareness training at some regular frequency, which is great. People need to keep information fresh in their minds in order to retain it. The downside of this approach to security awareness training is that—much like any other course or mandated once-a-year training—you don’t really retain a whole lot from it when it is done infrequently.
The difference in knowledge retention between a class you took six months or a year ago versus the information you apply on a daily basis is huge. Standard security awareness training makes it easy for things to be forgotten. (Especially if, like we said above, the training isn’t that interesting to begin with…)
Living Security’s security and awareness training platform includes monthly themes and topics that are relevant to specific breaches, threats, or times of the year. This helps keep cybersecurity top-of-mind for employees.
Mandated training and industry-wide standards are good, but cybersecurity can’t just be about ticking a box and meeting a standard for the sake of a standard. Real security comes from the day-by-day and threat-by-threat application of the knowledge gained in a training program. And it doesn’t matter if a user base takes a training course, watches a presentation, and passes a quiz if their behaviors aren’t changing.
Compliance-based training misses the point. Why do companies send users to security training in the first place? Is it to check a box and say they did it? Or is it to actually learn, and go out and apply what they have learned? We don’t send teens and new drivers to driver’s ed just to say they’ve stepped inside a classroom. They need to actually know how to use their turn signal when they merge. (Wouldn’t THAT be great!)
Cybersecurity training that engages the mind and senses helps actually change human behavior—which is actually the most valuable outcome of such training.
As a security leader or program owner, how can you tell if your user base has changed what they’re doing, comparing their actions before and after their training? While you can answer the question of “Did 100% of users complete this year’s required training?” it’s harder to track how much of the training actually had an impact, and so much of the data gathering and analysis, when done manually, is outdated before it’s even fully compiled. Not only is this process annoying, it’s not really helpful, either.
The kind of metrics you need to be tracking could cover anything from program engagement to phishing response to failed login attempts to password sharing. How does the training impact an organization’s risk? What, if anything, is actually changing? Do you know? Can you track it? And can you communicate that impact to CISOs and key stakeholders?
The net result of all of these shortcomings is that, by and large, security awareness training doesn’t really change behavior. And if changing behaviors is a huge part of the importance of security awareness training, if it isn’t doing that (or if we can’t tell) then what’s the point of doing it in the first place? How do you know what users and groups are most at-risk, and how can you tell if that risk has changed? Who needs to know more, and how can you deliver it to them?
Cybersecurity awareness training needs to change. It needs to adapt, and it needs to shift away from boring, check-the-box, once-a-year training that has vague metrics and uncertain outcomes. The way to do this is through Human Risk Management.
Human Risk Management is at the heart of everything we do here at Living Security. Understanding what behaviors put an organization at risk, and knowing how to spot risky behaviors before they become full-blown incidents, completely changes an organization’s cybersecurity framework.
Instead of boring and uninspiring training, choose interactive engaging content that people actually want to pay attention to. Don’t just make it informative, make it interesting, immersive, and people-focused. Make it—gasp!—fun. (Yes, cybersecurity training can be fun!) People learn better, and retain more, when they are curious, not bored out of their gourd by yet another video module.
Instead of one-and-done, keep your cybersecurity training fresh all year round. Make it timely, make it pertinent, and especially make it focused on topics that actually matter. This is especially true for the rise in remote work. Cybersecurity training for employees at home makes all the difference between a user who relies on their best guess for proper security protocol and one who is informed and prepared for a new environment, and new potential risks.
Instead of compliance-based training, choose to focus on changing human behavior and empowering users to be at the front line of security. Now, we hear you; we’re not new to this world, and we know that there are a lot of security program owners who fall back on compliance-based training simply because the thought of actually changing user behavior sounds impossible, but it’s really not. All it takes is a different focus, one that incorporates and prioritizes Human Risk Management.
Instead of relying on superficial metrics, try real-time feedback. An HRM platform like Living Security Unify can pull in data from across all of your sources, analyze it in real-time, and give you current data that can inform your next steps. What behaviors are happening right now that are contributing to your organization’s risk?
Instead of impersonal impact, what if you could create a targeted campaign specifically aimed at the users and groups who show the most signs of risky behavior? There’s no sense in doing training after training about password creation if the real threat is phishing. And if certain groups within your organization may cause more damage, should they be breached, then they need different training, right? Make it personal. Make it human-driven. Make a difference, and you’ll see amazing results.
Human error is the biggest cybersecurity risk, but it doesn’t have to be that way. Humans can also be the strongest security defense when they are empowered and engaged to make the right choices before events happen. Reframing your organization’s cybersecurity framework to include the human element is key to building an effective security awareness culture.
Risk is inherent in everything, but that doesn’t mean we have to accept it and do what’s always been done. The traditional approach to cybersecurity is changing, and organizations need to change, too. Staying ahead of risk means adapting your own approach to cybersecurity to include the human element. To learn more about what Living Security Unify can do for you, check out our demo.