One of the central tenets of cybersecurity awareness training is that everyone is responsible for keeping the company safe. Cybersecurity and risk management professionals must work in concert with other company leaders to effectively communicate with employees at every level of the organization and keep them fully engaged with cybersecurity. Corporate policies and workplace training content are not generally known for keeping eyes glued to the screen, but there are ways to ensure that employees pay attention to cybersecurity guidance to create long-term behavioral change.
The key elements of engagement are relevance, personalization and opportunity. Employees are much more inclined to focus when they see how cybersecurity concepts and training content apply to real-world scenarios, such as examples of actual social engineering attacks that have inflicted harm. Further, when training is conducted in clear, convincing and non-technical language, everyone can understand and improve. However, it is important to remember that all employees are different and have distinct psychological risk factors, behavioral patterns and methods of learning, ultimately requiring a personalized approach to training.
To boost engagement with and effectiveness of cybersecurity awareness training, consider the following:
Emphasize That Everyone Plays a Role in Cybersecurity
Cybersecurity can be an intimidating subject as employees may immediately think of crafty cybercriminals with access to sophisticated methods for hacking into secure networks, implanting malware and stealing data. Employees should have a healthy concern for the cyber threat landscape, but with the right training, they can actually help prevent a majority of cyberattacks. Conveying this empowering message to employees can help IT, cybersecurity and risk professionals secure the buy-in necessary to build organization-wide cyber defenses.
According Verizon’s latest Data Breach Investigations Report, 74% of breaches “include the human element,” including errors, stolen credentials and many forms of social engineering. Meanwhile, the IBM Cost of a Data Breach Report found that phishing is the most common initial attack vector for data breaches. When framing the importance of training, consider using such statistics as well as real-world examples in which social engineering tactics like phishing led to major data breaches, such as the recent attack on MGM Resorts. Whether presented to entry-level employees or executives, this context conveys the essential point that everyone has a role to play in cybersecurity.
Embrace the Power of Personalization
Too many forms of workplace communication and training operate on a one-size-fits-all model and do not account for different personalities, knowledge levels or learning styles. Failing to personalize communication can pose a critical problem in cybersecurity education because an individual employee's characteristics, from psychological susceptibilities to patterns of behavior, have a dramatic effect on their ability to identify and prevent cyberattacks. Moreover, generic and impersonal messaging has a slim chance of seizing and holding employees’ attention.
Indeed, personalization is critical for workforce engagement. According to Gallup, less than 25% of employees are engaged at work, which costs companies huge sums in lost productivity and turnover each year. A Gallup employee engagement survey found that treating employees like unique individuals is essential for keeping them engaged. When companies personalize their cybersecurity communication, they not only ensure that cybersecurity training is more targeted and effective, they also build support by giving employees the individual attention they want and need.
Cybercriminals exploit a wide range of psychological vulnerabilities when planning an attack. For example, cybercriminals who launch phishing attacks often impersonate authority figures like IRS agents or corporate executives as this creates a sense of fear and urgency for the recipient. Some employees are more likely to fall for these scams than others due to a range of personality traits, such as impulsiveness, fearfulness or obedience. Security leaders can use assessments like phishing simulations to identify some of these traits in the workforce and provide educational content that reinforces psychological strengths while addressing weaknesses.
Highlight the Opportunity for Cybersecurity Skills Growth
The World Economic Forum’s Future of Jobs Report anticipates that 60% of workers will require new training over the next three years, while a Microsoft survey found that 82% of company leaders will need new skills for the AI era. While these may seem like daunting challenges, over 75% of adults say they would learn new skills or even “completely retrain” to remain employable, presenting an opportunity for both employees and organizations to upskill on cybersecurity.
At a time when employees are increasingly interested in professional development and education, cybersecurity and risk management professionals should leverage this demand to build stakeholder support for cybersecurity awareness training. For too long, employees have viewed workplace training as a chore, simply clicking through mandatory HR content as quickly as possible to receive a “training completed” confirmation. Walking away from training with specific lessons learned or useful tips can build a sense of skills development and convey more benefit for the investment of time.
Building employees’ cybersecurity skills can be one of the most impactful cyberrisk mitigation investments for organizations. IBM reports that employee training is one of the most important factors in reducing the cost of cyberattacks, with an even greater impact than common cybersecurity measures like encryption and threat intelligence. If cybersecurity and risk management professionals can increase stakeholder support for awareness training and establish stronger distributed defenses, this impact is likely to increase substantially. As corporate directors align themselves with the C-suite on cyberrisk, they make larger investments in cybersecurity, and awareness training is a cost-effective tool with a proven track record of making companies safer.
Communication is only effective if security leaders earn buy-in across the entire company, and this starts with knowing how to talk to employees about cybersecurity. By ensuring that communication and training are relevant, personalized and presented to employees as an opportunity instead of a burden, cybersecurity and risk professionals can build a more robust and sustainable culture of cybersecurity.