Outmoded Training Methods in Cybersecurity
Spokane, WA (USA), November 2020 - (by Heather Stratford) The COVID-19 pandemic has unleashed cybercriminal activity that has given rise to a surge in cyberattacks. With so many employees working remotely, and with so many new processes and so much uncertainty, nefarious actors continue to take advantage of the chaos. Cybersecurity awareness training is no longer reserved for financial institutions or hospitals. All organizations need it in order to prevent successful attacks - because if a business has money transactions, it is a target for criminals. Yet, cybersecurity training has not evolved to meet the current needs of an ever-changing workforce and its new work conditions.
Effective cybersecurity training is more important than ever because attacks are increasing and organizations have shifted to more remote work, which has left companies even more exposed. During the early months of the coronavirus pandemic, phishing websites multiplied exponentially, and phishing attacks surged by 667%. Despite this trend, companies are going through the motions of cybersecurity awareness training, just ticking a box to fulfill a regulation. Organizations need more role-specific, engaging, and consistent training to combat the current risks of cyber breaches.
To be effective, cybersecurity training must change behavior. Mimecast Limited recently released a report that found that employees are knowingly disregarding and going around security measures. Of employees surveyed who had attended security awareness training, a third admitted to disregarding security policies. Until organizations change employee attitudes about roles and responsibilities, employees will continue to see it as someone else's problem, not their responsibility.
Unfortunately, there is a disconnect in how cybersecurity evolved and what it needs to accomplish. Most cybersecurity programs have grown out of regulations on security and privacy issues, including payment card industry (PCI) compliance; Health Insurance Portability and Accountability Act (HIPAA) compliance; Family Educational Rights, Privacy Act (FERPA) compliance; and General Data Protection Regulation (GDPR) compliance.
When cybersecurity training is seen as a checkbox or a compliance obligation, the goal becomes the minimum required to satisfy the requirement. In such a scenario, if 98% of the staff have a 30-minute annual review of cybersecurity, their training requirement has been met. From a behavior and security perspective, however, those staff members are rarely implementing the knowledge they were supposed to know or demonstrate.
One reason for the current disconnect in cybersecurity training is that the delivery method for compliance training is generally ineffective for training aimed at behavior change.
Organizations rely on outdated content delivery approaches, such as lengthy presentations followed by assessment testing. This archaic method does not support how the modern workforce processes information.
According to a SHIFT eLearning blog post, research has found that today's typical employee works on a task for about eleven minutes before being interrupted by a phone call, an email, or a co-worker. Within that span of eleven minutes, she or he engages in multiple short (three-minute) tasks. "If the task involves consuming digital information," the post continues, the average worker "spends just 20 seconds browsing one piece of content" before moving on to the next.
A common hurdle that companies experience is the idea that it cannot mandate training and should, instead, make it voluntary. However, if a company or organization cannot work through the red tape of making cybersecurity training mandatory, how will employees ever see it as core to their job or as an enterprise priority? If leaders treat cybersecurity training as an optional afterthought, employees will treat it that way, too.
Within the training industry, a common challenge is motivation: how to train an employee who simply doesn't care. When it comes to cybersecurity training, removing training from the traditional compliance "check-the-box" track is one way to demonstrate its importance.
Making it mandatory is another way to show that the executive leadership is in full support and wants everyone involved in cyber education. In addition, activities that are regularly measured and monitored become a higher priority, and if training is consistent, shorter, and more engaging, it can inspire more attention and create more impact.
Finally, the cybersecurity industry generally focuses on the fear factor to create urgency and awareness - but fear doesn't work in the long run. Effective training moves beyond initial scare tactics to empowerment. Investing in improving employees' knowledge and giving them a sense of responsibility over their actions - as well as an understanding of how those actions can impact the whole organization - will create lasting change.
Thirty years ago, there was a huge push for safety within manufacturing industries. It became the top priority. Teams would have safety meetings and share the number of days they went without an accident within the facility. This approach brought the idea of safety to the forefront and made sure all workers knew it was the priority. Cybersecurity is the new safety message, but it is still transitioning and finding its way to an essential cultural place within most organizations.
Microlearning, an approach to training that changing the traditional model, can help. It involves breaking content into bite-size chunks and testing learners on each small piece of information. This results in deeper engagement and yields better results than traditional methods.
A Grovo blog post reports that in a study conducted by the Dresden University of Technology, students taught using a microlearning style presentation performed 22.2% better than the rest of their colleagues, who had had more traditional training. In addition, the former took 28% less time to answer questions and performed 8% better on a comprehensive exam.
A highly effective approach in today's cybercrime-threatened workplace is to combine microlearning with gamification, which involves the application of typical elements of games (point scoring, competition with others, rules, etc.) to learning. Contemporary workers respond well to gamification, not only in terms of motivation and productivity, but in their overall relationship to the organization.
In the modern workplace, it is essential to provide employees with the information they need to help prevent cybercrime - and to provide it in ways that ensure the employees remember and make use of it. Properly applied, gamification and microlearning are tools that can make a significant difference, not only in employee engagement and satisfaction but in overall corporate security.
The cybersecurity training industry has become lazy and over commoditized, competing only on price, and even lowering the price so much that it has created a real imbalance. Today's organizations need better, more-engaging platforms to carry the message to the entire enterprise. Cybersecurity education needs to create behavior change and empower employees to be part of a more secure organization.