The ultimate goal of a cybersecurity training program is to guide employees to make better and cyber-aware decisions. However, companies that deliver traditional training (aka long and tedious) fail to drive real cybersecurity behavior change.
More than simply checking a mandatory box in your IT department, cybersecurity training should help your company break silos between general employees (including c-levels) and the IT team to better protect your company against cyber threats.
Improve Employee Security Behavior
Listed below are a few indicators that Security Leaders can look for to identify if your security awareness program approach needs to be reviewed.
1. Employees Leave Data Unsecured
As an employee becomes comfortable in their work environment, they tend to become complacent as it pertains to cyber hygiene. This implies that they would begin to let their guard down when it comes to what they think is “trivial,” such as not logging out of their computers once they’re done with their workday or when they leave their desk. Security and IT teams should always keep an eye on any instances of carelessness in employee security-related practices.
Behaviors that indicate that an employee should be retrained on security essentials include, but aren’t limited to, employees leaving their station without logging it off, leaving company documents unattended on their workstation, or posting passwords on sticky notes or whiteboards.
For employees that work remotely, run an analysis using your current cybersecurity tools to see if there are any signs of them using an unsecured wifi network or personal devices while working, or check if they are using VPN correctly.
How to improve this behavior?
Stay vigilant in the way your employees approach data security. They won’t know how to behave securely unless you guide them on how to do it. Make sure to add topics that are genuinely relevant for today’s hybrid reality of work location in your next cybersecurity training.
2. Employees Manage Passwords Poorly
Observe employees’ password habits. Did you know that the most common password in the world in 2019 was “123456”? And this has been the case for the last seven years. Therefore, it is no surprise that 81% of company data breaches are due to poor password management.
Employees have too much on their plate, and most of them think that by setting up the same password to all of the systems they use, they will save time and avoid non-productive processes.
How to improve this behavior?
Company policies play an essential role in password management. Weak defaults, such as not setting minimum complexity requirements for passwords, or not mandating frequent changes in passwords, is a surefire way to create vulnerabilities for your company.
When a new password management policy is in place, you will need to educate your employees on these new rules. Run frequent assessments and awareness training to keep employees on their toes and check for any potential slip-ups.
Last but not least, implement a corporate password management tool to help your employees store their existing passwords and generate secure and encrypted ones when necessary. You will find plenty of strong options of password management tools out there, such as 1Password or LastPass.
3. Employees Underestimate Cybersecurity
Saying “It won’t happen to me!” is a common misconception by many employees concerning cyberattacks. Perhaps, they may think that their company is too small to be hacked or that their work would be meaningless for a potential hacker. But that often is not the case; it can happen to all of us.
Thus, it is critical to understand how your employees view their role in cybersecurity to know how vulnerable your organization is.
How to improve this behavior?
Providing frequent training based on real-life scenarios is a great way to showcase how cybersecurity ties to their daily lives. But more than that, it is critical to provide cybersecurity training that specifically addresses their roles, departments, and responsibilities.
HR, Sales, Marketing, and Operations face different challenges and have access to various tools, so it is essential to customize cybersecurity training to match each employee’s varying job scope and roles, ensuring that all training is relevant and valuable.
4. Employees Don’t Feel Comfortable Approaching their IT Department
Businesses were caught off-guard by the onset of Covid-19 and the massive changes it brought about to our daily lives, namely, the lockdowns that have been imposed by various governments which require employees to work from home.
This work-from-home reality opens up a new avenue of risks that the companies will be facing. Besides scammers often switching up their phishing email approaches relating to COVID-19, employees that work from home are more susceptible to attacks from external parties because they’d feel more inclined to use their personal network devices, which are less secure than the ones in the office and can be breached more easily.
Many employees haven’t been taught about safe work-from-home cybersecurity practices, which can be used to solve gaps in cybersecurity awareness. If employees feel their IT and security teams are distant, and perhaps too busy to solve their everyday problems and questions, your company will be one step further away from building Cyber Culture.
How to improve this behavior?
Employees must be taught how to avoid these new and updated cyber threats. Now, more than ever, your IT and security departments should implement an open-door policy (or open-schedule policy, in times or remote working) to encourage openness and transparency with their employees when it comes to incorporating cybersecurity-safe behaviors.
Even when employees are offered highly personalized and targeted training modules related to this new remote working reality, they might have questions and concerns that the IT and security departments could efficiently address. While cyber training will inform the employees on how to behave, leaving your schedule open for 1:1 sessions or scheduling weekly practice sessions of 15 minutes can help your team feel more comfortable sharing specific doubts about securing their home office environment.
5. Employees Keep Falling for Phishing Simulations
According to some recent data, it was observed that one-fifth of employees fell for phishing emails that were part of cyber training. This shows that the level of cybersecurity awareness and training being offered by organizations isn’t sufficient. If these were actual attacks, organizations would be in grave danger as they could potentially lose plenty of valuable data.
How to improve this behavior?
The most straightforward solution would be to increase the frequency of cybersecurity training that the employees receive. But more than that, increasing the quality, customization, and efficiency of the training and guiding your employees on how to behave securely online could drastically reduce the scope for human error.
At Right-Hand, we apply bite-sized learning, customization, and gamification to help our companies build a positive Cyber Culture. By engaging employees in effective and meaningful training, your company will be one step ahead in driving employee behavior change towards cybersecurity.
