October 26, 2023 By Mike Elgan 3 min read

Early to a meeting, an employee decides to check direct messages on their favorite social network.

Uh, oh. A message from the social network’s security team says their account has been hacked. They’ll need to click on the link to reset their password.

You know the rest of the story. The link goes to a fake website from which a malicious payload is downloaded. Once running on the employee’s laptop, it creates havoc on the network.

Despite regular cybersecurity awareness training, employees still compromise security by falling for social engineering attacks. Unfortunately, these attacks compose the vast majority of cyberattacks. And the reason for that is clear: people are vulnerable to being tricked. Human nature is no match for the ever-evolving cyberattack landscape. To make things worse, cyberattackers are increasingly using advanced technologies like synthetic media and artificial intelligence (AI) to accelerate the growing sophistication of social engineering attacks.

Sure, cybersecurity training helps. It can produce real change in the behavior of a majority of employees. But for many staff members, the change is temporary and partial. So here’s what a lot of training often gets wrong, and more importantly, how to get it right.

Why training fails

The essential problem is that cyberattack techniques that exploit human decision-making evolve faster than our thinking about how to effect change in the behavior of employees. It’s time to change faster.

Here are some great ideas about how to make cybersecurity training much more effective:

  1. Personalize. Instead of exposing all staff to the same general curricula, divide employees into smaller groups based on knowledge levels and organizational roles. Develop exercises and training content that resonate with each group, so they can relate to the material and better apply it to their everyday work.
  2. Empathize. Make it clear that people who fall for social engineering attacks aren’t stupid. They’re just not following the right protocols.
  3. Update. Take specific attack examples from the news, and use the latest major attacks in each example. Hypotheticals often fail to resonate — but telling a real example with real outcomes to real businesses that happened recently has a bigger psychological impact.
  4. Entertain. Eyes glaze over with boring training content, and attention shuts down. Make training fun, interesting and colorful. Gamify training, use video-based course material, role-playing, phishing simulation and make it interactive. Use rewards, competitions, leaderboards and other techniques that engage employees.
  5. Multiply. Forget about annual training sessions. You should be revisiting each employee’s cybersecurity training at least quarterly, with the addition of other reminders and exercises tossed in for good measure.
  6. Evaluate. Avoid just holding training sessions and hoping for the best. Make sure you follow up on which parts were effective and which were not, and constantly tweak and improve how you do it.
  7. Streamline. One major reason employees fail to act on their cybersecurity training is that they believe using approved software or accepted techniques gets in the way of productivity. Cybersecurity practices are often seen as a barrier to working efficiently, so employees might break the rules, take shortcuts or use unapproved applications or devices to “route around” the problem of security. So it’s a great idea to understand the situations where this is occurring and figure out how to streamline processes so employees are both productive and secure. In other words, work to improve the ease of use for security-safe practices.
  8. Enculturate. Create a much larger culture of cybersecurity within your organization. Define and communicate a mission that clearly establishes success metrics. Get leadership buy-in, and make sure all executives understand the costs and benefits of better cybersecurity. Partner with, rather than dictate to, employees so they’re part of the solution and not treated like they’re the problem. Clarify and over-communicate.

If employees are the weakest link in the chain of security, then it’s time to strengthen them through much better cybersecurity training practices.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today