Cyber threats are becoming more common and costly. It is easy for a hacker to wait for someone to have a moment of weakness and open a malicious attachment to exploit technical vulnerabilities. However, organisations increasingly trust technology-based solutions to combat these growing risks instead of training employees to be more aware of the risks and recognise red flags. Furthermore, employers see employees as liabilities rather than assets, and when given the proper security awareness training can be part of a more robust solution. 

The wrong way to teach security awareness

There is a right and wrong way to train cyber security awareness. The wrong way is to conduct training once or twice a year where employees are gathered into a room and subjected to a PowerPoint. As a result, this method treats your employees as a passive audience and inadequately engages them. Poor security training is more a punishment than an opportunity to teach and inspire employees. 

Also, the wrong way reflects a one-size-fits-all mindset by not recognising your different employee strengths and abilities and that they respond differently to a range of learning methods. Furthermore, your employees have varying security awareness needs depending on their role and level of access to sensitive information. Lastly, measuring the breakout session approach level of success on attendance instead of content retention and behaviour modification is flawed. 

These poor methods tend to yield poor results in improvements in behaviour. As a result, senior executives tend to dismiss the whole field of security awareness training rather than question the methods. 

The right way to teach security awareness

Good security awareness training involves parcelling out digestible portions that gradually expose employees to content with a greater frequency and variety to have a more singificant impact. Furthermore, interactive and role-based training feels more relevant and worthwhile to employees. Also, as the security training is challenging, it engages their minds and memories more effectively. 

Make sure you evaluate the organisational culture and adjust the messaging appropriately. For example, if a corporate environment expects employees to follow simple instructions without questioning how the task fits into a broader context might find it challenging to modify employee behaviour. Compared to a culture that promotes cooperation, critical thinking, and recognises the value of getting managerial and staff buy-in for a new initiative. 

How to change employee behaviour to protect them against social engineering

The primary goal of security awareness education is to modify employee behaviour so that they do not fall for social engineering. Social engineering is manipulating, influencing or deceiving somebody to take action that is not in their or their organisation’s best interest. For example, phishing or spear-phishing is when someone uses phone, email, postal service or direct contact to trick someone into doing something harmful.

Interactive computer-based training is a central component in comprehensive security education and behaviour management program. 

The main aim of social engineering schemes is to get somebody to click on a hyperlink or open an attachment sent in an email that allows the hacker to access the device. Even educating someone that the only file safe to open is a .txt file could make all the difference. Furthermore, providing short three or four-question quizzes, regularly helps employees review and reinforce their understanding. Completing the quiz successful also provides positive reinforcement and encourages motivation and trust in the course.

Human beings are the organisation’s last layer of defence. Security awareness training demonstrates how susceptible they are to social engineering, which is the most significant security risk in the coming decade.

Training exercises that put the trainee in different scenarios, like someone who just got hacked, will engage their senses. 

These exercises teach employees to carefully check all the details in an email for telltale signs of potentially malicious content. For example, a from address with a misspelling, a hyperlink that is different to the one it displays or an email that says a negative consequence will happen if you do not complete an action.

Teach your employees that dangerous emails often appear to come from a reputable organisation or from someone you know and trust in your organisation, so they must think before clicking.

Using simulated phishing attacks helps people learn and change their reflexes. Start these emails easy to spot at the start and then gradually make them harder to spot to prepare all your employees for all kinds of phishing attacks. 

The key is to repeat variations of the exercise so that the trainees have a chance to fail in a safe environment and then learn from their behaviour. However, it is equally crucial for them to achieve success to show them they can detect a phishing attempt and report it correctly.

How to change organisational culture

You cannot change behaviour in an organisation without continuous reinforcement, for example, regular repeating training and phishing simulator tests.

Regular training stimulate and reinforces behavioural patterns with immediate feedback when an employee succeeds. Furthermore, regular security training ensures new starters get the same amount of security training.

If there is no regular testing, there is a behavioural drift. For example, seasonal circumstances could encourage an employee to be lazy. 

It takes two months to form a habit, whether that is positive or negative. 

Security education is also an opportunity to strengthen communications within an organisation. Establishing clear procedures for suspicious emails, such as reporting them immediately to the IT department, helps recondition employee behaviour. 

To help retain employee reflexes in combating social engineering, it is imperative that you get managers to respond to training results in a constructive and nurturing way.

For example, if someone fails a few times, it is important not to penalise them because they are only human. Human behaviour is natural, and we are testing them because it needs changing. 

Instead, encourage people to take security as self-interest, for example, protecting their own data or wanting to do the right thing for the organisation. Lastly, turn employee mistakes into teaching moments that strengthen the organisation’s last layer of security.

Recommended Actions

1. Be realistic about what you can achieve in the short term and optimistic about the long-term payoff.
2. Plan like a marketer and test like an attacker.
3. View awareness through the vision of organisational culture.
4. Leverage behaviour management principles to help shape good security hygiene.
5. Have a vision of what good looks like for your organisation

In conclusion

Changing employee behaviour to be less susceptible to social engineering requires a consistent and repeatable approach to security education. Implementing security awareness training well engages users and moves their natural reflexes from being unaware to being proactive and competent in identifying potentially hazardous social engineering tactics. Successful behavioural change starts with clear communication to employees on why security education is crucial and aligns with an organisation’s unique culture and workplace dynamics. Rolling out a realistic security awareness training program will empower users to protect themselves and be part of the solution in fortifying an organisation’s last layer of security.

For more information about implementing security awareness in your organisation, click here. Or contact us today to speak to an expert.