Let’s face it: the term “Security Awareness Training” has most people’s eyes glazing over on sight. For some, those words even bring about memories of past failed attempts at shifting how employees view their role in security. They are often a stark reminder of money wasted on programs never launched or utilized to their full potential. Just think about the word awareness alone for a moment. Can you recall a time when simply being aware of consequences or a better way to perform a task led to long-term behavior change? Likely, the answer is no because research has proven time and time again that awareness is not the only catalyst for behavior change. Awareness is a critical part of the process but largely ineffective when used as the end all be all.
I don’t want anyone to misconstrue the message here. Security Awareness Training is a vital component of an overall security program and, depending on the industry, a requirement of government regulatory guidelines. So, the questions become – how do you choose a Security Awareness Training program, and how do you use the training to elicit behavior change in your employees? In other words, how do you leverage the training to move beyond awareness to behavior change? To accomplish this, we must first have a basic understanding of how behavior is successfully changed.
The Elements of Behavior Change
Change does not come easy, and getting an entire staff (or at least most of them) to adopt new behaviors when it comes to their security practices is no easy feat. Fortunately, there are countless bodies of research explaining how people can effectively adopt and sustain new behavior. Many of the techniques discussed in this article are the same techniques used by psychologists, teachers, and physicians to help people achieve their goals.
To succeed, you will first need to address the three most significant elements in behavior change.
Readiness to Change
Start by giving your team the resources and knowledge they need to make a lasting change. Then, not only is choosing the right training solution vital but so is choosing the right company. Think of it in these terms: have you bought an amazing training platform that is very engaging with a lot of 'wow factor,' but you have no way to manage the deployment of it? After purchasing, was the company largely hands-off and non-responsive? Or is your training approach lackluster, non-engaging, and only done once or twice per year?
Initial analysis of your whole team to determine your needs and readiness levels is a crucial part of the process that you should not overlook. Request training module demos and talk to your potential training provider about their deployment process, managed services, and supplemental materials. Do not be afraid to ask for references from similar companies they have worked with. Also, be sure to ask if they have supplemental materials available to help increase readiness levels, such as posters or assistance with security awareness email campaigns to send to employees.
The overarching goal at this stage is to increase your employees’ knowledge of the important role they play in the security of the company. This should be done in numerous ways, both formal (i.e. policies) and informal (posters, emails, etc.). One size rarely fits all, so shop around to find your best fit when it comes to your training needs.
Barriers to Change
What is preventing the shift to a security-minded culture in your workplace? That can be a difficult question to answer. After all, we know that human error causes 95% of breaches. That tells us we have a behavior change issue when it comes to our employees’ security practices. The old mindset was that security is IT’s job. Considering this, is there a lack of understanding regarding the role employees play in security? Is it they don’t think a security incident will ever happen? Or is it that they are overwhelmed and feel too busy to fit in another task? Whatever the case may be, you can overcome it and absolutely should before the rollout of your training.
Send a survey out to your employees to help accurately identify your unique barriers. Next, build a small team to develop strategies to address your specific barriers. Be sure you are working with a security awareness training provider who is willing to help you address these barriers before training deployment should you need assistance.
Plan to Address Relapse
Are there times or circumstances that could trigger a return to former behavior? How will you know if/when an employee has a relapse in their security-related behaviors? The best way to gauge this behavior is through simulated phishing exercises. Did you know that 97% of people around the world cannot identify a sophisticated phishing email?
That is a scary statistic considering 91% of cyberattacks begin with a phishing email.
Phishing attacks are a form of social engineering that preys on our human nature and our natural behaviors. To prevent or address relapse, your company should be regularly engaging employees in phishing exercises. Then, those who require reinforcement can be assigned appropriate courses for remediation. Additionally, it would be beneficial to expose employees to security-related materials on an ongoing and regular basis including, print materials, posters, articles, blogs, etc.
Summing it All Up
When it comes to changing the security behaviors of your employees, there is no one size fits all solution. Understanding the elements of behavior change and mapping out how to effectively address each one is a powerful way to help you achieve and maintain your security goals. When looking for a training solution, keep in mind that it should include robust analytic features. Not only are you able to track and measure the success of your training approach, but you can provide valuable ROI information to leaders and stakeholders.
Employees are your greatest asset but also represent your greatest vulnerability when it comes to security defenses. Do your research and seek to work with a company that has the right tools and managed services to help you and your employees navigate through changing security-related behaviors. Finding the right company to work with is a huge factor in determining whether you will increase awareness and change behaviors.
If you’re interested in learning more about how TechGuard’s Security Awareness Training program can help you foster a security-minded culture in your organization, contact us today.
Written by Elizabeth Dasenbrock
Elizabeth Dasenbrock is a marketer/graphic designer whose mission has always been to creatively express stories and ideas. Her skill set allows her to convey concepts to particular audiences in a visually appealing way. At TechGuard, she works on the marketing team with a focus on graphic design. In her free time, she can usually be found working on personal creative projects, tending to her houseplants, or spending time with friends and family.