Any run-of-the-mill security strategy typically has two parts. First, there’s the preventative side—installing firewalls and antivirus software, that sort of thing. And then there’s the reactive side—dealing with problems that come up and educating users about their mistakes.
Are both parts necessary? Absolutely. But there’s a big gap in between where breaches happen.
After all, if cybercriminals can’t hack their way through a company’s firewalls, they’ll go another way and manipulate users into giving them access to sensitive info.
To plug that gap, most companies turn to security awareness training to reinforce security from the inside out. The goal is to educate users about cyberthreats so they will recognize and avoid scams, phishing attacks, and their own unsafe behaviors.
Sounds important, right?
It is—but as soon as you announce mandatory security awareness training, you’ll inevitably get pushback from employees.
No one likes mandatory trainings, and saying, “Come on, just do it” doesn’t help. Instead, let’s look at where users are coming from and how you can reframe or adjust your security awareness training to get users onboard.
“I don’t have time for this.”
We’re all busy. When you’re already working full tilt on critical projects, any mandatory training feels like a strain on your time, no matter how important it is.
What’s more, companies often pile all their security training into a once-a-year, hours-long course—often without easing employees’ workloads to compensate. Users are expected to fit in training around their already-full schedules. Can you blame them for feeling a little resentful?
Solution: Instead of explaining to employees exactly why security training is worth the sacrifice on their end, change your strategy. Try breaking up training into smaller, more manageable segments that people can fit into their schedules. Monthly lunch-and-learn trainings are just one example.
Even better, ditch your traditional annual training model and make security awareness training ongoing. You can decide what that means—whether it’s weekly mini-trainings that only take a few minutes or slightly longer trainings on a monthly basis.
Not only does this approach show employees that you care about the demands on their time, but it also helps people retain knowledge better than they would after an annual training.
“I can’t keep my eyes open.”
Did you ever have a teacher who lectured in monotone during every class period? It’s like he was trying to put you to sleep and keep you from learning anything.
No one enjoys lecture mode, so why use that approach for corporate trainings?
Again—security awareness training is important, but that’s not how your employees feel when watching someone read through a security training PowerPoint.
Solution: When designing your training, consider providing multimodal options (in-person, online, text-based, audio-based, etc.) that allow users to choose a method that works best for them.
If multimodal learning isn’t possible, try unconventional instruction. For instance, call for cybersecurity questions ahead of time to get employees invested in the training, or pair training with company-sponsored lunches, as suggested earlier.
Don’t be afraid to use games, humor, or incentives. Create a scavenger hunt to have users look out for security risks or host a game of cybersecurity Jeopardy. If you play your cards right, employees will still understand how serious a matter security is—and be more engaged in the training.
“I don’t need to know this.”
We’ve all been there, sitting through training that has nothing to do with our day-to-day responsibilities (while surreptitiously checking our phones every few minutes).
Face it; people working the front desk don’t need back-end IT security training, and part-time employees in the warehouse may not need intensive phishing training if they don’t have a company email address.
A one-size-fits all approach doesn’t fit anyone. If employees don’t see the connection between cybersecurity and their roles, they won’t be engaged in the training. And don’t expect them to remember the information that was presented.
Solution: Make your training relevant to all employees, not just to one or two groups. Share recent examples of real-world security breaches, especially those in your industry. Remind users that data breaches can compromise their personal information and cost money and jobs.
To keep people engaged, tailor your security awareness training to address the most common threats users will encounter. Since phishing threats are most common, it’s good to follow up with a simulated phishing attack.
“I already know this” or “I’m totally overwhelmed by this.”
In a similar vein, nobody likes sitting in a training that’s well beneath their pay grade. Even in the face of important information, employees can miss those tips if they’re consumed with thoughts of what they need to work on next.
Also, users who are less tech-savvy can find security training downright stressful. Nobody wants to put corporate data at risk—but hearing over and over how employees are contributing to security risks can leave users more overwhelmed than empowered.
Solution: Know where your technology users are coming from so you can tailor security training to scenarios they face every day. As mentioned earlier, not every role faces the same security risks.
Just getting started with security awareness training? Try these suggestions:
Begin with general instruction and then test your users with quizzes and/or phishing simulations. Consider asking for feedback, especially from those who pass assessments with flying colors. Maybe they can help design future ongoing training.
“I hate feeling stupid.”
Ever go overboard when you feel strongly about something? In your anxiety to underline the importance of your subject, you risk being seen as patronizing—which may not induce people to pay attention.
Yes, 95% of data breaches are caused by human error—but publicly calling out those errors may not improve behavior or company morale.
Solution: In your training, speak to employees as people. Cliché or no, everyone does make mistakes.
If you’re phishing users as part of your security training (and you should be), a little understanding and patience goes a long way when people make mistakes. Simply provide some remedial training and opportunities to improve.
Successful security awareness training treats users as partners, not liabilities. Done right, this training can help you build a more inclusive, united culture.
What good security awareness training can do
Let’s review. Just because some employees have preconceived ideas about companywide training doesn’t mean your security training can’t be effective.
If you listen to what your employees are saying and adjust your strategy accordingly, you can:
- Improve the company’s risk management outcomes
- Build a cyber-resilient workplace culture
- Maintain or improve your customers’ trust
- Save money, data, and employee retention
- Boost employees’ confidence and security savviness
Ready to take your security training game to the next level?
Check out our free eBook, The Ultimate Guide to Security Awareness Training, to dive into everything you need to know about creating a top-notch security training program.