Cyber Security Awareness Training: How to Improve Employee Behavior
Employees are your first line of defense. Unfortunately, they’re also the weakest link in your network security. It’s your job to improve your first line of defense by educating employees via cybersecurity awareness training.
According to the 2018 Insider Threat Report, the most common culprit of insider threat is accidental exposure by employees. The top factors are: phishing attempts (67%), weak/reused passwords (56%), and bad password sharing practices (44%).
What’s more, according the Verizon Data Breach Investigations Report: 81% of hacking-related breaches leveraged either stolen and/or weak passwords, while 98% of social attacks were linked to phishing scams.
These trends can be reversed with appropriate cybersecurity awareness training in your organization.
To be clear, cybersecurity awareness training isn’t any one thing. It must be a holistic approach — the idea is to transform the company culture to be more security-centric by effectively influencing the behavior of individual employees.
In order to effectively influence the behavior of individual employees, your cybersecurity awareness training methods should fall into one of these categories:
Category #1: Methods that help employees identify and recognize the problems with existing cybersecurity behavior.
Category #2: Methods that provide employees with solutions to help develop cybersecurity knowledge and improve cybersecurity behavior long-term.
You’ve heard the phrase, “Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.” The same is true regarding cybersecurity awareness training. Your training will only provide temporary value if you simply tell employees “don’t do this” or “don’t do that.”
The best way to improve cybersecurity behavior long-term is to teach employees the why, the how, and the what.
- Why is cybersecurity so important, and why should they care?
- How do criminals attack businesses, and how can employees play a part in prevention?
- What actions can employees take to make security a part of their day-to-day?
How to Help Employees Identify and Recognize the Problems with Existing Cybersecurity Behavior
Chances are, your employees are saddled with numerous poor security habits. This is true because either (1) they don’t care enough to change, or (2) they don’t know enough to care.
When you think of it that way, the solutions are simple: explain the repercussions of not caring in a way that makes sense to them, and point out the small things they can change to avoid those repercussions.
Suggested methods include:
- You can see, by employee, who was successful and who failed. That means you can follow up with those who erred and explain the importance of preventing a phishing attack, as well as provide suggestions on how they can improve for next time.
- When the test is done, you’ll get an aggregate score of how successful/unsuccessful your company was at preventing an attack. You should present that information to employees, and explain that oftentimes phishing is a zero-sum game — meaning, an attacker only needs to trick one person to gain access to your network and install malware that compromises highly sensitive company or customer information. Of course, different employees have different access privileges (ex. IT team is more likely to have privileged access than the Marketing team), but that is more relevant speaking to individuals or teams than when speaking to the company as a whole.
- When you speak to employees, show them additional examples (like the Gmail phishing scam). Giving an employee context around what a phishing email looks like, or what the attacker is trying to accomplish, will help them be more aware of suspicious emails and make them think twice before clicking on a link or attachment.
- Finally, the results of the test will allow you to generate a baseline score of how good your company is at preventing a breach. This will come in handy for future phishing tests, and allow you to measure your company progress.
“Giving an employee context around what a phishing email looks like, or what the attacker is trying to accomplish, will help them be more aware of suspicious emails and make them think twice before clicking on a link or attachment.”
B) Conduct an Internal Security Audit: Conducting an internal security audit will allow you to gain many of the same benefits of a phishing test, but on a larger scale. You can shore up your defenses, identify areas of high risk and explain the dangers to relevant employees, and build a baseline for future audits to measure improvement.
Don’t have the time to conduct an internal security audit? Try a security intrusion test.
Walk through the office after-hours and see how many passwords are written in plain sight. You can even look at notebooks left on tables and see if there’s any sensitive company information or access information (like a password) written inside. What about non-work devices plugged into the network? That’s a major risk that employees may not think twice about.
C) Less Formal Ways to Engage Employees: What if, when an employee leaves their computer unlocked and unattended, they have to buy bagels for everyone in the office? It’s a fun way to encourage employees to be more secure. Not everything that you do to improve cybersecurity awareness needs to be formal — if you can incorporate fun or engaging ways to help employees both recognize and change their poor security behavior, you’re doing your job.
“If you can incorporate fun or engaging ways to help employees both recognize and change their poor security behavior, you’re doing your job.”
This can extend to other areas of individual security as well. For example, what if you tried a scare-tactic to get employee attention? Imagine gathering the company and detailing the effect of a breach as if it happened because of an employee mistake (say, someone reused a personal password for a sensitive work account, or someone fell for a phishing attack). You can end your talk by revealing that the story is not true, but that it could be true if employees aren’t more careful.
These less formal methods don’t work for every company. Think about how employees will react, and perhaps talk with an executive first. But, in the right environment, these methods can have a material impact on employee security behavior.
How to Provide Employees with Solutions to Help Develop Cybersecurity Knowledge and Improve Cybersecurity Behavior Long-Term
While the methods suggested above do a good job of helping employees identify and recognize their poor password behavior, they aren’t long-term solutions to the cybersecurity awareness training problem.
In order to engender a culture of security awareness, there needs to be continued education and support for employees. This can come in many forms.
A) Continued Security Training and Communication: In the above section, we discussed methods like Phishing Tests and Internal Security Audits to give you the data necessary to identify employees who needed improvement or areas of risk in your business that you can focus on. These methods for cybersecurity awareness training are especially useful if used in an ongoing basis.
Employees can see their individual and collective improvement from phishing test to phishing test (ex. during the first test, 20% of employees were successfully phished, whereas in the second test, only 10% of employees were successfully phished). Your audit or intrusion test can clue you in to where you’ve seen improvement, and where you need to continue increasing awareness and education.
If possible, you should put together a security email for employees that details the latest security scams or methods used by hackers. You can send this once per month, or during a time of specific need (ex. if there is a phishing scam affecting users around the US).
You can also give a primer for all new employees as part of onboarding. Put together a few slides that help new employees identify a phishing email, explain the importance of strong, unique passwords, show them the value in keeping software updated, and tell them why public Wi-Fi shouldn’t be used to login to your network without appropriate measures.
B) Invest in a Business Password Manager: To put it simply, a password manager is the only way to ensure employees change their poor password habits. Bad habits include:
- Password Reuse: Employees are reusing passwords everywhere, including between personal accounts and sensitive work accounts. That means if their personal account gets hacked it can put your business at risk.
- Weak Passwords: Humans aren’t designed to memorize long, unique strings of numbers, letters, and symbols. Using a password manager enables complex, unique passwords for each account – this lessens the chance of a hacked account because of increased password strength and eliminates reuse.
- Storing Passwords: Writing your passwords saved in a notebook, Word doc, or browser isn’t safe. A password manager will help them store all (personal and work) their passwords in one place that is available to them wherever they are.
- Password Sharing: Employees share passwords in myriad ways, none of which are safe. Using a password manager ensures that sharing is safe, and access is only granted to appropriate employees for specific accounts.
The cost of a password manager is dwarfed by the cost of a breach caused by poor password behavior (the Verizon Data Breach Investigation Report suggests that 81% of hacking-related activities are caused by weak or stolen passwords.)
“To put it simply, a password manager is the only way to ensure employees change their poor password habits.”
Make sure you get a tool that employees will use, by seeking out a password manager that is easy to use and enables full-company adoption.
C) Two-Factor Authentication and Other Tools: There are many tools available to help with 2FA deployment to every employee. You can use Duo, which integrates with most software and SSOs, and also helps keep employees on top of the latest software updates. Yubico’s Yubikeys are a way to add a strong additional layer of security by requiring a physical token for access to certain accounts.
Another tool you can use to help with anti-spam and anti-phishing in employee email inboxes is called Mimecast.
D) Security@YourCompany.com: Create an email alias so that your now-educated employees can send (forward) suspicious emails or general suspicious security behavior for review by a trained professional (you or someone else on your team). You can also append
“[External]” to any email coming from out of network, so that if someone is trying to impersonate your CEO, employees can see clearly that it is fake.
E) Compliance: Is your business trying to become PCI-DSS compliant or gain some other certification? In order to gain PCI-DSS compliance or other certifications, certain cybersecurity awareness training is often mandatory.
These methods are all suggestions to help you accomplish your goal of cybersecurity awareness training. They help to answer the questions of Why, How, and What that we outlined above, and they enable both short-term change and long-term improvement. Stay vigilant, and make sure to engage and train employees in a way that makes sense to them so they can (1) understand the problems with their current security behavior and (2) care enough to improve their habits and help form a strong security perimeter for your organization.
Trusted by over 7,000 businesses worldwide, Dashlane Business is lauded by businesses big and small for its effectiveness in changing security behavior and simplicity of design that enables full-company adoption.
Thanks! You're subscribed. Be on the lookout for updates straight to your inbox.