By Matt Lindley, COO and CISO at NINJIO
As cyberattacks become increasingly frequent and destructive, cybersecurity education is no longer optional. When companies suffer a data breach, theyāre liable to lose millions of dollars and the trust of their customers overnight. Cyberattacks are especially crippling with so many companies in the middle of sweeping digital transformations, which open up a vast array of new attack vectors and leave companies scrambling to diagnose and respond to breaches long after they have taken place.
Companies need to be capable of identifying vulnerabilities quickly and taking proactive measures to address them. This begins with the development of an effective cybersecurity awareness training (CSAT) program, as human error and negligence constitute the most urgent threats to the integrity of your networks and systems. The most common mistake companies make in the development of their CSAT programs is the failure to recognize that thereās no one-size-fits-all approach to cybersecurity training. Employees have different skill levels, personal circumstances, temperaments, and learning styles that all determine how they absorb and later retrieve information ā as well as what cyberthreats theyāre prepared to handle.
Employees should be fully engaged with what theyāre learning, which requires lessons to be immediately applicable to their lives, built around their strengths and weaknesses, and capable of holding their attention. Weāve all been subjected to company-wide training content that makes us feel generic and expendable ā content thatās more likely to alienate employees than educate them. Letās examine a few of the ways companies can avoid this outcome by providing personalized CSAT training that actually works.
Personalized and evidence-based cybersecurity training
Too many companies emphasize inputs instead of outputs when they implement a CSAT program. Inputs include the number of employees who took a training course or the open rate for an instructional email, while outputs would be employee performance on phishing tests, real-world incident reports, and other tangible evidence that training is working. The final goal of any successful training program is long-term behavioral change, and companies have to honestly assess whether theyāre making progress toward that goal.
One way to build a more effective CSAT program is to focus on personalization. A 2022 study on improving cybersecurity training suggests the application of personalized learning theory to account for ādifferences in learning styles, cognitive abilities and metacognition of individualsā and offer ātailored solutions optimized for each group of employees.ā The researchers cite an earlier study which demonstrated that students who received personalized learning made āgreater progress over the course of two school years.ā
Personalized learning wonāt just help employees acquire and retain information ā it will also give CISOs and other company leaders a more in-depth understanding of their cybersecurity assets and vulnerabilities. This can include everything from which specific cyberattacks will likely be most effective to which employee traits (such as curiosity or anxiety) pose the most significant security risks. When companies evaluate their cybersecurity performance on an individual basis, theyāll be able to identify which employees are doing well, which ones are struggling, and how to allocate resources accordingly.
Evidence-based CSAT is vital at a time when companies are increasing their investments in cybersecurity and simultaneously trying to maintain healthy balance sheets.
Maximizing individual employee engagement
Your workforce is composed of busy professionals who are constantly trying to balance the demands of their jobs with a sprawling range of other responsibilities. If your CSAT program fails to capture employeesā attention, you can be certain that plenty of other distractions are there to fill the vacuum.
Each time employees interact with a piece of training content, thereās a narrow window to engage them, provide the information they need, and ultimately facilitate the adoption of healthy cybersecurity behaviors. This is why itās crucial to ensure that content is entertaining, concise, and directly relevant to the employee in question. For example, letās say an employee is about to start a project with several colleagues that will require significant time on Slack or some other cloud-based collaboration platform. Your training content could cover a real-world breach that used Slack as the primary attack vector, such as a recent hack that took place at Uber.
Personalized training can also focus on employeesā specific roles and areas where their skills need reinforcement. This can open opportunities for dialogue and show employees that their opinions matter while giving CISOs and company leaders insight into the state of the companyās cyber-preparedness.
Giving employees powerful incentives to learn
Companies have long approached workplace education as a reluctant necessity, from mundane onboarding videos that havenāt been updated in a few years (or decades) to workplace conduct training that exists to limit the companyās legal liability rather than genuinely improve its culture or teach employees. None of this educational content leads to sustainable behavioral change because it isnāt designed to do so ā it was merely created to check a box marked ātraining.ā
This status quo is a huge missed opportunity. A recent LinkedIn report found that the top driver of a great work culture is the availability of āopportunities to learn and grow,ā while employees report that one of their main motivations to learn is training content which is āpersonalized specifically for my interests and career goals.ā Similarly, Gallupās State of the Global Workplace Report found that companies which provide learning opportunities and encourage employeesā personal development will improve the level of engagement among their workforces. These findings have clear behavioral implications: when employees feel like they have good reasons to learn, theyāll find it easier to pay attention, retain critical information, and put it into practice.
Thereās a widespread misperception among employees that cybersecurity is too complicated or technical for them to grasp, but nothing could be further from the truth. Over 80 percent of breaches involve a human element, and many of these incidents could be prevented with a personalized cybersecurity education program. When this fact is clear to employees, they will have a compelling reason to learn about the cybersecurity principles and behaviors that will keep the company safe.