If you still think your current efforts are enough, learn a lesson from Wipro. This IT outsourcing giant's internal IT systems have been hacked. As a result, the adversaries used Wipro’s systems to launch attacks against the firm’s own customers. How did their extensive security measures fail them? They didn’t. Human nature did. An advance phishing campaign targeting employees is to blame for the breach.
Don’t wait until an incident occurs to work on changing the engrained cybersecurity habits of your employees. Guide your employees through one of the best-known approaches to change, the Stages of Change or Transtheoretical Model. Introduced in the late 1970s by researchers James Prochaska and Carlo DiClemente, The Stages of Change Model has been found to be an effective aid in understanding how people go through a change in behavior.
Carefully consider each stage outlined below when planning or re-evaluating the human element of your security program.
Think of your employees as blissfully unaware at this stage. They are in a state of comfort with their day to day operations and are not even considering that changes in their cybersecurity behaviors must occur. As an employer, you too may be blissfully unaware of the level of risky security behaviors your employees are engaging in. The Precontemplation Stage is a great time to gain a baseline measurement of your human element related cybersecurity risk. One of the most effective and reliable ways to gain this baseline information is to launch a simulated phishing attack. Gain immediate insight as to who opens the email, the attachment, the link, etc. If you are not already using, PhishingReal, our phishing simulator, you can try a free demo by simply clicking here.
The Contemplation Stage is all about raising awareness and shifting to an understanding that every employee has a role to play in the security of the company. Providing educational information, real/relatable security breach stories and education on security best practices are great ways to help employees understand the importance of adopting new security related behaviors. The most effective way to help employees gain an understanding of the changes that must be made is to educate them using a variety of methods. Sharing your own companies results from the baseline phishing campaign is a great way to kick off your efforts. Re-evaluate your own security policies to ensure you are meeting industry compliance and engaging in security measures that align with best practices and up-to-date recommendations. Communicate with employees regularly during this stage about all policy updates/changes, upcoming training, etc.
The preparation stage serves to convince employees of the advantages of changing their security related behaviors. It is finally time to launch your security awareness training. Not only should your online training contain excellent content that aligns with best practices in security, but it should be highly interactive. Make sure it includes real life situations/scenarios, interactive exercises and quizzes. To maximize your success, throughout the lifecycle of your training implementation, share related blogs, newsletters and post educational materials throughout the office.
During this stage, your employees are well into the training. It is great idea to launch another simulated phishing attack. You can use just-in-time learning to directly and immediately send susceptible employees to a customized landing page and training module. This is also a great time to introduce tools (such as PhishHook) and protocols to address what employees should do if they suspect a fraudulent email. Throughout this phase you will see a shift in employees’ mindset from “security is the IT team’s responsibility to security is everyone’s responsibility”, as well as an overall improvement in security related behaviors and attitudes. It is important to keep focus and momentum during this stage. Games, contests and incentives are great ways to encourage employees to take charge of their own learning.
Congratulations! Your employees have succeeded in establishing new security related behaviors! But are these behaviors sustainable? A great way to measure the effectiveness of your efforts is to continue to launch sophisticated simulated phishing emails that vary in complexity. Another great way to measure your human related vulnerabilities/security risks is to engage in a social engineering campaign. These evaluation efforts are very important to implement during the maintenance phase. By analyzing the results, you will be able to determine the scale of change, the effectiveness of your training and determine your ROI.
It’s through repetition of each step that you will see measurable and sustainable change in your employees’ behaviors.