- Christopher Dale, Content Marketing Manager, ThriveDX's Enterprise Division
By now most of us understand that employees are cybersecurity’s weakest link and biggest attack vector – those online criminals are targeting specific people within organizations with access to sensitive data – instead of traditional perimeter defenses. Yet increasing employee engagement in both security awareness training and application security (AppSec) training still too often meets foot-dragging, procrastination, and collective eyerolls – when it’s even offered.
In 2021 businesses lost a staggering $7 billion due to cyberattacks and insider threats. Per usual, these breaches can be traced to a single employee – usually unwittingly – clicking on the malicious email and ushering in a torrent of trojan horses into his or her company.
Six Ways to Increase Employee Engagement in Security Training
In 2021 the FBI’s Internet Crime Complaint Center (IC3) fielded a record 847,376 reported complaints – a 7 percent increase from 2020. Potential losses exceeded $6.9 billion. Once again, ransomware and business email compromise (BEC) attacks led the way. For the first time ever the criminal use of cryptocurrency joined the top three incidents reported. BEC schemes alone resulted in 19,954 complaints totaling $2.4 billion.
This begs the question: How can something so potentially costly to businesses not carry greater urgency within organizations? Why are so many blowing it off, or being otherwise unserious when it comes to implementing security training?
1. Make it Matter, Make it Believable
Some version of “this is cheesy,” “we already know this” and “not a thing that would happen in real life” have been overheard somewhere during security training. While most employees understand they are the weak link cyber-wise, not every employee knows what to do with this information. They have heard lots of fear mongering, but far fewer solutions. Tell them what they don’t already know. Communicate something of value. Instead of sowing fear, uncertainty and doubt, practice empathy and understanding for the position they are in and show vision for what they are likely to encounter.
In other words, make your security awareness training believable and inspired by real-life attacks. Use actual web pages they are likely to run across in your examples. SQL injection attacks don’t happen on login pages, but they might happen in checkout pages. They are even more likely to happen in random, semi-arcane places. Use these as your examples, so that your audience knows that you know what you’re talking about. Teach them to identify, disable and quarantine attacks before they become expensive problems.
For example, ThriveDX recently acquired Kontra which provides application security training aimed squarely at developers. Whereas normally developers find bugs and report them, Kontra teaches them instead how to identify and fix security vulnerabilities and other bugs in real time, saving four or more weeks on the next rev.
2. Practice Radical Candor
Acknowledge up front that security training is nobody’s first choice in time management. We get it. At the same time, people generally agree that having jobs is a good thing. If a company falls victim to ransomware, one person’s carelessness could end up costing dozens of people their careers, if not the business itself. So of course, cybersecurity awareness training and AppSec training is going to be mandatory. Let’s make the most of it, shall we?
3. One Size Does Not Fit All
Not all employees are equal. Some are more likely to be attacked than others. Acknowledging up front you understand this basic truth should increase employee engagement. Specifically, people with privileged access to sensitive data are much likelier to be targeted. Your training should account for these human heightened risks by separating them off from the group and walking them through the most likely scenarios they might encounter.
4. Tighten It Up
Why spend 20 minutes making a point you can convey in five? People are smarter than you think. Approach training like it’s not their first day with a computer and an internet connection. By now most folks have a general understanding of what threats await them after making bonehead decisions online. What they do not have is a lot of time.
Gyan Chawdhary is founder and CEO of Kontra, which he calls Application Security Training by developers, for developers. “Nobody has time for security training…least of all, developers,” said Chawdhary. “That’s why one of our key differentiators is that every part of our training runs five minutes, max.”
5. Tell A Story
In addition to showing an attack and how to fix it, include a narrative. Tell an interactive story of real-life attacks. Many devs are curious as to how attackers found this bug in the first place. What tools did they use? What code were they looking for? How did this security vulnerability come to be discovered? Kontra shows them this back story and walks them through the steps from the perspective of a cybercriminal. It shows them a hacker’s tricks. Square that circle, and good code follows.
6. Scale your content by integrating w/ other LMS software
All too often both security awareness training and application security training are standalone courses sitting outside of a company’s Learning Management Software (LMS). This effectively means you can assign training without enforcing any compliance. If developers are writing code while AppSec Training runs in the background, how would you know, and what could you even do about it?
The other problem is many times security training will force companies to adopt their LMS systems, in order to give the companies visibility into employee compliance. This presents several problems. First of all, why would a developer want to login to yet another system in addition to their own LMS to complete training? This also gets at the fact that many enterprise LMS systems are much more sophisticated and complex than anything offered by cybersecurity training. While an organization might gain some enforcement and compliance capabilities, they’ll more than lose in overall functionality.
A final word on increasing engagement
There is no silver bullet to getting everyone to expert level in combating today’s threat landscape. Ultimately it comes down to how much organizations value a security-conversant workforce and strive to implement the above tips. Making the content shorter, more relevant, and more customized should significantly increase employee engagement in security training – ultimately saving the company money in the form of attacks that never happened. Who knows, you might even discover upskillable employees to add to your security team.
For more information on ThriveDX’s enterprise security training programs, please visit us at https://thrivedx.com
Christopher Dale is the content marketing manager for ThriveDX’s Enterprise Division. He has worked in the cybersecurity field for almost 14 years in PR, social media and content development roles for a range of companies including ESET, Forcepoint, Cylance (Blackberry) and Proofpoint. He holds Bachelor of Arts degrees in Political Science and Rhetoric & Communication from the University of California, Davis.
Protect Your Organization from Phishing
Explore More Resources
- Article, Blog
- Article, Blog
- Article, Blog
- Article, Blog
Your Trusted Source for Cyber Education
Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.