This article is written by Paul Ponzeka, CTO at Abacus Group, and originally appeared in Forbes.
With human error contributing to 95% of all cybersecurity incidents, employees are inevitably the weakest link in any organization's security chain. From falling for phishing emails to using a weak password or sharing sensitive data via unencrypted channels, even a small lapse in judgment can open the door to costly and disruptive attacks.
As a result, firms are increasingly prioritizing end-user cybersecurity training and awareness programs. Regulatory bodies are also stepping in to mandate these initiatives. In the U.K., for example, the Information Commissioner's Office (ICO) now expects all organizations to demonstrate completion of cyber awareness training by all new starters, ongoing training for all employees and management of non-attendees.
Organizations are realizing the need to build cybersecurity into the employee experience, but how many are delivering security education and awareness programs that truly connect with the daily responsibilities and experiences of their staff?
Often, cybersecurity training becomes just another checkbox-compliance exercise. Organizations give employees some brief PowerPoint presentations or the same dry instructional materials year after year—resulting in disengaged staff members who multitask or simply tune out while waiting for the end-of-training quiz.
As Gartner, Inc. noted in its top cybersecurity trends for 2023, human-centric security design is becoming an increasingly important factor in cybersecurity programs. Without a user-centric, role-based approach that focuses on the employees' perspectives and challenges and genuinely engages them, even the most well-thought-out cybersecurity training programs will ultimately fail to stick. Building a security-conscious culture then becomes much harder, leaving organizations more vulnerable to evolving cyber risks.
Cybersecurity is an ever-changing picture. As new technologies and applications evolve, new attack vectors are constantly emerging—with rapidly changing policies and procedures adding to the confusion for many end users. This stimulates a continuous cycle of improvement and adaptation. Constant exposure to security warnings and policy rules at work can overwhelm employees, with all of the information eventually blending into background noise.
What's more, some of the measures that organizations implement to mitigate cybersecurity risk may hinder productivity or even introduce new security vulnerabilities.
For example, a firm may introduce multifactor authentication (MFA) to reduce the likelihood of phishing attacks. While most employees will gradually adapt to this new technology, they may face a barrage of push notifications designed to trick them into authenticating fraudulent login attempts. This constant game of whack-a-mole can be just as exasperating for employees as it is for security leaders.
Cybersecurity also often conflicts with our natural human instinct to trust, urging us to adopt a more skeptical mindset. This can jar and tire staff members, particularly when they're already balancing the numerous demands of day-to-day business. As we're all more prone to making mistakes when stressed or weary, it comes as little surprise that security lapses can easily occur.
Security fatigue poses a significant challenge for both individuals and firms. To tackle this and reinvigorate staff vigilance, firms must put the human experience first. This includes providing employees with informative resources and leadership support.
Leadership teams can encourage employee involvement by actively promoting the significance of a cyber-conscious culture. They should adapt and implement engaging cybersecurity training programs that are tailored to specific job roles and responsibilities, empowering employees to effectively manage cybersecurity risks without overwhelming them.
It's not enough to schedule regular cybersecurity awareness sessions. Training must be compelling, interactive and relevant to employees and their daily tasks to facilitate better retention of knowledge. Learned security principles and practices can then become ingrained in everyday behavior, supporting the growth of a cyber-conscious culture across the organization.
Firms may choose to add the fun factor through gamified experiences, or they may use impactful storytelling to illustrate the far-reaching consequences of clicking on a phishing link. Simulated social engineering attacks can be particularly effective, as they closely mimic real-world scenarios. When employees experience these situations firsthand within a controlled environment, they gain a deeper understanding of the risks they may face in their day-to-day work, prompting them to adapt their behavior accordingly.
Empowering employees with knowledge and skills also positively boosts their confidence in recognizing and mitigating cybersecurity threats. The key is to incorporate modern, interactive and personalized training techniques that help users connect the dots between their actions and the overall security of the firm.
Organizations should constantly update training to reflect the evolving cybersecurity and regulatory landscape as well as employees' changing use of technology. Firms that solely rely on outdated web-based learning management systems to deliver their cybersecurity training will struggle to keep pace with the security impacts of chat-based applications like Slack and Teams.
Crucially, organizations must proactively gather continuous feedback from the user population to ensure that all aspects of the program align with employees' specific needs, challenges and concerns. Organizations should also regularly report cybersecurity training progress to C-level executives to encourage business-wide awareness and accountability.
Within the many competing distractions and demands of day-to-day business, it can be tricky for organizations to balance employee productivity with the requirements of ongoing security training. However, firms must strike this balance. Cyber risk is a business risk, and any successful cyberattack can have devastating business impacts.
Firms must incorporate cybersecurity training into their security budget—carefully assessing areas of risk, determining appropriate time allocation and assigning dedicated personnel to ensure its effectiveness. They should also consider strategic partnerships with third-party providers that specialize in human-centric cybersecurity training to enhance the quality and effectiveness of their programs.
By putting the employee experience first, firms can tailor their security training to create customized, relevant and long-lasting teachable moments. This human-centric approach empowers employees to proactively strengthen their organization's cybersecurity and overall resilience. Firms investing in a multilayered security training program that considers these unique needs are taking crucial steps to build a strong and sustainable security-conscious culture.