We all know security is important. If you ask any employee of a company, they would most likely agree that keeping their company safe is important.
But how deep does that opinion go? Is it important to them? Do their subconscious actions reflect that?
When it comes to a company’s cybersecurity, we often start with tools, processes, and policy. Once we realize our people are the largest security vulnerability, we start to look toward training and security awareness.
This is great! But what we often leave on the table is how to make “security awareness” actually take effect, and move the company forward. We fail to tie awareness to culture and habits.
For example, I’m aware that a yellow traffic light means “slow down” but my habit is quite the opposite. I’m making that light.
Weird metaphors aside, hope is not lost for your company! While security awareness culture is paramount to avoiding a major breach, it’s quite attainable! Here’s how:
First you should understand that culture is not something you can command, direct, or mandate. Culture is not a policy.
Policy - What employees are told to do
Culture - How they actually behave
A cultural change happens on a subconscious level. If you can reach people’s subconscious, you can change their behavior. This is why security awareness for employees is important.
Let’s zoom out a bit.
Why are humans often the largest weakness in security?
Because people aren’t hardwired to recognize threats
Even if they want to keep their company safe, everyone is vulnerable to phishing attacks, social engineering, and manipulation by technology.
This is scary, and the natural tendency is to teach by exposing employees to the fear of phishing, but this approach is one of negativity.
Why The Old Training Model Doesn’t Work Anymore
The old way of training just doesn’t cut it these days. The threat landscape moves faster than ever before, and people learn, think and act differently now because of technology.The Old Training Model:
- Covers too much at once:
- Takes too long
- It’s disruptive
- Misaligned with cognitive recognition
This takes many forms, not just the classic hour-long training in the conference room
If training is intrusive, instills fear, or tries to solve everything at once, it does not contribute to a positive security culture.
How to Instill a Positive Security Culture in your Organization
Positivity is the number one approach we’ve discovered that contributes to culture. Scaring someone into a habit is an ounce as effective as encouraging and motivating someone to do the same.
There are four things you can do to accomplish this:
- Train Everyone - Culture comes from the top down
- Expect Mistakes - They are inevitable. How you react to them is everything
- Set Goals - Encourage employees and track progress
- Don’t Punish Mistakes - would you report a phishing email if you thought you could be fired?
Now that we have the foundation of a positive security culture, how do we change the way we train?
The New Training Model: Psychological Security Training
- 1-2 Key Takeaways: Rather than pack everything into one video or training experience, we focus on 1-2 things the employee can walk away fully understanding and caring about.
- Train Regularly: Keep the training short. Our target length for a training video is less than two minutes, preferably 90 seconds. If you have 1 key takeaway, it should take that long to make it resonate.
- Train in a Familiar Environment: Employees should be able to complete the training quickly and in their normal work environment. Training should contribute to productivity, not kill it.
- Tell Stories and Use Humor - This is our bread and butter. We use “edutainment” videos to train. Before the teaching moment occurs, employees get to have a laugh, get grossed out, or get entertained. Psychologically, this opens the brain up to be receptive to the information.
This approach is such a monumental shift from the old way of delivering security awareness training. From the phishing testing, to the training environment, to the training material itself, we’ve departed from old ways of thinking that protect the status quo.
This focus on people vs. information has led us to uncover what we think will become an entirely new vertical: Psychological Security.
By pioneering this new mind shift we were able to build our training experience from the ground up with people and their brains in mind.
This is the key to changing culture. Change minds.
Your employees CAN be trained to avoid manipulation by technology.
Not only will employees naturally keep the company safe because of pattern recognition of phishing attacks, but they’ll be excited to keep you safe because of the positivity, entertainment value, and humor that your new security-aware culture provides.
People become excited to spot and report real phishing emails.