Five mistakes that turn corporate security awareness into a waste

The true purpose of security awareness training is not to raise awareness, but to change an employee’s behavior online.
By: | May 22, 2019

 

About the Author
Maxim Frolov is the Vice-President of Global Sales at Kaspersky Lab.

More than half of businesses consider employees to be the weakest link in corporate cybersecurity, as their actions may put company data and systems at risk. As such, they invest heavily in educating them on basic IT security skills.

Despite this, some businesses may be skeptical about training staff on cybersecurity. Some think people, aware of the potential threats or not, will always make mistakes.

However, the true purpose of security awareness training is not to raise awareness, but to change an employee’s behavior online.

Following more than 20 years of researching cyberthreats and providing cybersecurity services to eliminate ‘the human factor’ in cybersecurity, these five educational pitfalls can make cybersecurity training ineffective.

 

Inefficient format

Corporate learning and development may come in different forms: a lecture from another employee, a talk by an external speaker, or a computer-based course. Companies should choose a format which is proven to be effective for achieving a particular skillset.

A tedious lecture is not suitable for a training course aimed to improve employees’ practical cybersecurity skills. With an online format, employees can combine a range of content (video, text, tests), and add gamification elements that make lessons more interesting.

This interactivity also makes a cybersecurity course attractive and engaging and allows workers to progress at their own pace and spend more time on especially complicated topics.

 

The same qualification for all job roles

 Many believe that cybersecurity is everyone’s responsibility. As such, businesses may want to introduce obligatory security awareness training, aiming to transform every employee into a cybersecurity pro.

Nonetheless, security awareness training course should be tailored, depending on the systems and information employees have access to. The higher the risk, the higher the education level should be.

Teaching employees’ things they never deal with in their life, especially at work, is not cost-effective. Everyone should know how to identify obvious malicious websites.

Personnel with access to sensitive information and business-critical systems, should be given a more advanced course such as recognizing personalized fake emails.

 

Information overload

“Security awareness training course should be tailored, depending on the systems and information employees have access to. The higher the risk, the higher the education level should be.

Security awareness training is often designed to cover all important topics at once. However, this format hardly facilitates changing behavior, as it is unlikely that all the information will be absorbed.

Content is best remembered when it is delivered in bite-sized modules, as it is less likely to blur into a huge chunk of information.

If a short lesson is devoted to a single topic, and offers a reasonable number of takeaways, people are more likely to keep in mind how they should react for a particular threat.

 

Lack of practice and repetition

There is often good content in the training, but it is not internalised as it should be – due to a lack of repetition. Reinforcing important concepts are the cornerstone of translating awareness into action.

Security training courses are often taken by uninspired audiences who might listen to instructions but are unmotivated to learn and commit them to memory.

Companies should implement courses that make topics easy to remember and emphasize the most critical aspect several times.

 

Lack of real-life relevance

Tackling employees’ lacking awareness may seem obvious – by raising awareness and understanding of general cybersecurity rules. Unfortunately, when the aim should be to change behavior for the better, this will not work.

Majority of employees do not have a security, or general IT background. They may not understand how to keep applications updated or be careful when opening suspicious attachments.

To enhance communication, the learning content should be carried out by simulating potential situations an employee could face – like working with emails or looking for a site to download their favorite series.

Successful cybersecurity training must be conducted such that it not only covers all the essential topics but is easy to understand and memorize. This will most likely result in less mistakes and stronger overall security.