Fundamentals of Security Awareness Training
How To Get People Excited About Security Awareness Training
We talk with different audiences and businesses all the time. How can we engage with everyone in the street? How do we get them interested and excited about security awereness and online safety? Is it even possible?
It’s possible. People love stories and they love stories about crime even more! Cyber Security incidents are no different than your standard crimes and they have all the components of a good story. We’ve gathered the experts for a wonderful non-technical discussion that dives into the human element of security awareness, what we as an industry are doing wrong, and how we can change the culture.
It’s how we communicate. We tend to distance ourselves from people when they don’t understand. Cyber crimes are like an accident. They’re relatable. So why then are people still reluctant to take it seriously? It’s not enough to just tell them it’s serious.
Even the words “Cyber Security” distance us from our audience. It sounds more like a profession and completely impersonal. Now Online Safety? Everyone can get on board with that!
Security Awareness Is About Storytelling
Everyone feels like things are far fetched. People know what cyber security is but they don’t connect to it. Stop making security awareness only about the company, make it about the people. Tell them how a woman saved money and built up her credit only to have it compromised trying to buy her dream house. Tell them how she spent the next 10 years trying to get that back and what she lost in the process.
Analog Human In a Digital World
We have not successfully bridged the gap that digital life is now real life. People need to know why they should care. Have meaningful conversations and build relationships. Talk to the community.
The consequences are not always immediate or detrimental when it comes to cyber security attacks. Risk. Danger. Emotional Response. We have cultural issues we are not fully addressing. Risk is very cultural and personal. Not everyone has the same risk factor or knowledge set either. We live in a 10 second world.
Most people that drive have no idea how to do anything other than the basics like refueling or changing the oil or a tire. If something else should happen, then what? They have to have a plan to either fix it or get it fixed.
Still Don’t Believe Us?
You rely on technology more than you think. Challenge: Try to go through one day, just one...without using a single bit of technology. No phone, TV, computers, car, nothing.
Digital Corporate Culture - What Have We Done Wrong?
The company mentality needs to shift from protecting the organization to protecting their employees. Once that happens, employees’ behaviors will change and the company will be safer as a result. It’s not the other way around anymore.
Security Awareness Training shouldn't be just about compliance- checking the boxes of what we need to teach once or twice a year and then we stop. Security awareness needs to be ongoing learning, resources, accountability, or praise.
Corporate leadership tends to only rely on contingency plans and insurance that will only help them out of a cyber security attack. It’s time to humanize cyber security training.
Getting on the Right Track
It’s time to use a different approach towards security awareness training.
Gamification is fun and it works. Use phishing simulations or divide departments into teams that try to compromise one another.
Do Digital FootPrinting. Show them their footprint and how much public information you can find on them. Of course, make sure this is legal, set boundaries, and share what you will and will not do with the person being assessed.
Lead with the personal stuff. Once you gauge their interest, they will start to ask questions and be concerned about how they can protect themselves.
Securing Awareness Should Be in Plain English
Plastering flyers on cyber security awareness in the lunch rooms or in emails do NOT work. The best you can hope for is someone wondering who designed this cheesy thing while they are waiting for their lunch to cook in the microwave.
Think of this from a marketing perspective. Who is your audience? How do they interact? Are most of them technical or not? This is the way our industry needs to think. Get in that mindset and you cannot go wrong. To help explain technical terms in a non-technical way, we created an awesome resource for you to translate Geek To English!
Check Out the Geek to English Dictionary!
It’s Not Just About Watching Silly Videos Every Year
You know that one person that always forgets to lock their computer? What normally happens? People laugh, some will play a prank and rearrange their desktop icons. It pretty much becomes an ongoing joke and while it’s all fun and games, it becomes unimportant.
It’s time to include Security Awareness as a standard every day business practice by adding into performance reviews. Security hygiene if you will. Doing this will not only help you identify individual training needs, it will also show where the vulnerabilities lie in your organization as a whole. Finally, you now have the grounds and the means to start holding employees and management accountable.
Keep the Fire Burning!
Make sure your content is geared towards everyone so that anyone can relate to it. Allow your employees to share materials with their family and friends. By doing so, we are putting them back in the heroes seat while they spread security awareness. Best of all, they know that you are looking out for their best interest as well as their family's and not just concerned with the business. Here's a perfect example of short and to the point content that is relatable...and shareable.
For more training like this one, visit Wizer Security Awareness Training
Have reference materials and FAQs that are readily available to people to rely on if they get that suspect email and have a question.
Start an Ambassador Program and use your best assets (your employees) to promote cyber safety. No worries, we’ve done the heavy lifting and you can find out exactly how to implement your own here.
Watch Your Language
People are the weakest link. Wait...Did we just say that? Why have we been saying this for years and years? How rude! We certainly got that one wrong in this industry. What better way to bring up such an important safety topic than to insult the people we are trying to teach?
People like to feel important and like they are contributing something. You can make a difference, you are saving the company money, your kids are safer because of you. Make them the heroes.
Your people are your strongest defense. We all need to see this side of things and create positive conversations with people. Building trust on this level makes your employees comfortable to come forward.
The Emotional Response and Connection
How do we change the habits to create a human firewall?
Think about how people behave and how they like to interact and you will win their hearts and minds. There is a difference between knowing something and behaving. It is hard to break habits. Emotions drive us to make decisions to act. Taking a moment to analyze the information being presented before you react to anything can help break the bad habit of reacting immediately. This can apply to cyber security awareness training and online safety as well.
Just Say NO
People have gotten used to saying YES in the work environment and it becomes a bad habit. They want to get their work done, get paid, and keep their job. Very rarely does an employee say NO. Teach them that it’s okay to just say NO.
When they get that email that comes from the boss asking them to do an immediate wire transfer, they will stop, assess the email, and decide whether or not to do it if they feel they have the option to say YES or NO. The company isn’t going to burn down in the next five minutes if they do this.
One suggestion is to tell them to read the email out loud. They’re more likely to realize on their own how outlandish an email asking for money sounds.
People want to please. It’s human nature. They need to be empowered to ask questions and make the right decisions.
Security Awareness is a Unique Opportunity for you Right Now
Due to the pandemic, many companies and their employees have had to make switches to working from home. Recognize how quickly that happened and how well your employees adapted to the changes. Leverage and capitalize on this. Everyone is being open to being told what the new normal is. Use this to invoke change. Show them what to do.
Lead the way without swords against their backs.
Moderated by
-
Wizer’s hacker, Chris Roberts!
Panelists:
Gabriel Friedlander
Gabriel Friedlander is the Founder & CEO of Wizer, whose mission is to make basic security awareness a basic life skill for everyone. Wizer has been rapidly growing since being founded in 2019, and now serves 20K+ organizations across 50 countries. Before founding Wizer, Gabriel was the co-founder of ObserveIT (acquired by Proofpoint). With over a decade of experience studying human behavior, he is a prolific content creator on social media, focusing on online safety to elevate public understanding of digital risks. His engaging 1-minute videos have captured the attention of millions worldwide, going viral for their impactful messages.