By now most of us understand that employees are cybersecurity’s weakest link and biggest attack vector – those online criminals are targeting specific people within organizations with access to sensitive data – instead of traditional perimeter defenses. Yet increasing employee engagement in both security awareness training and application security (AppSec) training still too often meets foot-dragging, procrastination, and collective eyerolls – when it’s even offered.
In 2021 businesses lost a staggering $7 billion due to cyberattacks and insider threats. Per usual, these breaches can be traced to a single employee – usually unwittingly – clicking on the malicious email and ushering in a torrent of trojan horses into his or her company.
Six Ways to Increase Employee Engagement in Security Training
In 2021 the FBI’s Internet Crime Complaint Center (IC3) fielded a record 847,376 reported complaints – a 7 percent increase from 2020. Potential losses exceeded $6.9 billion. Once again, ransomware and business email compromise (BEC) attacks led the way. For the first time ever the criminal use of cryptocurrency joined the top three incidents reported. BEC schemes alone resulted in 19,954 complaints totaling $2.4 billion.
This begs the question: How can something so potentially costly to businesses not carry greater urgency within organizations? Why are so many blowing it off, or being otherwise unserious when it comes to implementing security training?
- Make it Matter, Make it Believable
Some versions of “this is cheesy,” “we already know this” and “not a thing that would happen in real life” have been overheard somewhere during security training. While most employees understand they are the weak link cyber-wise, not every employee knows what to do with this information. They have heard lots of fear mongering, but far fewer solutions. Tell them what they don’t already know. Communicate something of value. Instead of sowing fear, uncertainty and doubt, practice empathy and understanding for the position they are in and show vision for what they are likely to encounter.
In other words, make your security awareness training believable and inspired by real-life attacks. Use actual web pages they are likely to run across in your examples. SQL injection attacks don’t happen on login pages, but they might happen in checkout pages. They are even more likely to happen in random, semi-arcane places. Use these as your examples, so that your audience knows that you know what you’re talking about. Teach them to identify, disable and quarantine attacks before they become expensive problems.
For example, ThriveDX recently acquired Kontra which provides application security training aimed squarely at developers. Whereas normally developers find bugs and report them, Kontra teaches them instead how to identify and fix security vulnerabilities and other bugs in real time, saving four or more weeks on the next rev.
- Practice Radical Candor
Acknowledge up front that security training is nobody’s first choice in time management. We get it. At the same time, people generally agree that having jobs is a good thing. If a company falls victim to ransomware, one person’s carelessness could end up costing dozens of people their careers, if not the business itself. So of course, cybersecurity awareness training and AppSec training is going to be mandatory. Let’s make the most of it, shall we?
- One Size Does Not Fit All
Not all employees are equal. Some are more likely to be attacked than others. Acknowledging up front you understand this basic truth should increase employee engagement. Specifically, people with privileged access to sensitive data are much likelier to be targeted. Your training should account for these human heightened risks by separating them off from the group and walking them through the most likely scenarios they might encounter.
- Tighten It Up
Why spend 20 minutes making a point you can convey in five? People are smarter than you think. Approach training like it’s not their first day with a computer and an internet connection. By now most folks have a general understanding of what threats await them after making bonehead decisions online. What they do not have is a lot of time.
Gyan Chawdhary is the founder and CEO of Kontra, which he calls Application Security Training by developers, for developers. “Nobody has time for security training…least of all, developers,” said Chawdhary. “That’s why one of our key differentiators is that every part of our training runs five minutes, max.”
- Tell A Story
In addition to showing an attack and how to fix it, include a narrative. Tell an interactive story of real-life attacks. Many devs are curious as to how attackers found this bug in the first place. What tools did they use? What code were they looking for? How did this security vulnerability come to be discovered? Kontra shows them this back story and walks them through the steps from the perspective of a cybercriminal. It shows them a hacker’s tricks. Square that circle, and good code follows.
- Scale your content by integrating w/ other LMS software
All too often both security awareness training and application security training are standalone courses sitting outside of a company’s Learning Management Software (LMS). This effectively means you can assign training without enforcing any compliance. If developers are writing code while AppSec Training runs in the background, how would you know, and what could you even do about it?
The other problem is many times security training will force companies to adopt their LMS systems, in order to give the companies visibility into employee compliance. This presents several problems. First of all, why would a developer want to log in to yet another system in addition to their own LMS to complete the training? This also gets at the fact that many enterprise LMS systems are much more sophisticated and complex than anything offered by cybersecurity training. While an organization might gain some enforcement and compliance capabilities, they’ll more than lose in overall functionality.
A final word on increasing engagement
There is no silver bullet to getting everyone to expert level in combating today’s threat landscape. Ultimately it comes down to how much organizations value a security-conversant workforce and strive to implement the above tips. Making the content shorter, more relevant, and more customized should significantly increase employee engagement in security training – ultimately saving the company money in the form of attacks that never happened. Who knows, you might even discover upskillable employees to add to your security team.
Written by Christopher Dale, Content Marketing Manager, ThriveDX, 8 September 2022
About DT Asia
DT Asia began in 2007 with a clear mission to build the market entry for various pioneering IT security solutions from the US, Europe and Israel.
Today, DT Asia is a regional, value-added distributor of cybersecurity solutions providing cutting-edge technologies to key government organisations and top private sector clients including global banks and Fortune 500 companies. We have offices and partners around the Asia Pacific to better understand the markets and deliver localised solutions.