Influencing security mindsets to build a culture of cybersecurity
Cybersecurity specialists aren’t the only people who play an indispensable role in protecting businesses from cyberattacks. Every employee who uses the internet is also on the front line, and in today’s high-tech workforce, that’s almost all of them!
Despite their role as cyber-gatekeepers, many employees haven’t benefited from cybersecurity training. Instead of looking at that as a weakness, think of it as a major opportunity for your cybersecurity team to teach cybersecurity best practices and build a culture of security.
At the Infosec Inspire Cyber Skills Summit, we had the opportunity to speak with two leaders in corporate cybersecurity training. Donna Gomez is a Security Risk & Compliance Analyst at Johnson County Government in the State of Kansas. Joining her was Tomm Larson, Cyber Security Awareness Lead at Idaho National Laboratory.
Video 1: Creative and fun approaches to training
Let’s take a look at how they built thriving security cultures in their organizations.
Understand your employees’ needs
There are tons of prepackaged lessons out there for teaching security awareness, but the best place to begin is by asking your employees what they’d like to learn. Gomez does this by using surveys after every lesson. “Making somebody feel heard is the biggest thing because needs analysis and meeting their needs is the biggest way to encourage a change in behavior.”
After each training, she wants to know “what was missing?” and “what do you want to know more about?” By getting feedback directly from her employees, she’s able to tailor additional lessons to fit their needs and learning objectives. Her employees know that she’s listening and wants to help them learn.
Make security awareness relevant
Without real-world examples, security awareness training may feel disconnected from everyday life in the office. That’s why Tomm Larson strives to connect training with current events. “I scour the headlines on a regular basis looking for news that will impact my users,” he says. “Like the Twitter attack — apparently that’s a new phishing attack that’s becoming more popular amongst criminals, and so I wanted to let my users know this attack is out there.”
Larson also drives home the point that cybersecurity isn’t just a workplace concern — it’s also something that impacts his trainees in their personal lives. This connection between work and home life helps employees understand that cybersecurity concerns are everywhere and that they always need to be on alert for potential attacks.
Teaching security awareness for different learning styles
Visual, auditory, tactile: there are a variety of different learning styles. Gomez and Larson agree that security awareness training should be geared towards different learner preferences. That means including a variety of different exercises and lesson formats like videos, animations or microlearning moments. Not only is this an effective way to teach the lessons, but Larson explains that it’s also an excellent way to build rapport with your colleagues. His curriculum includes different kinds of media and content so that learners can choose what works best for them. They also use activities like games and tournaments to make cybersecurity fun and engaging.
Build trust
Video 2: Building trust
A strong teacher-student relationship is founded on trust. That’s why Gomez and Larson emphasize the importance of building trust with your employees. However, that can be easier said than done — especially if the learning process includes lots of tests, quizzes and assessments.
For that reason, both Gomez and Larson have eliminated tests from their security awareness curriculums. Instead, Larson allows learners to self-assess their own cybersecurity knowledge to identify opportunities for future learning. He also runs monthly “drills,” much like fire drills, where employees can practice what would happen during various cyber-attack scenarios. No one gets in trouble for clicking on a “drill” phishing email—it’s a learning opportunity, plain and simple.
Create a safe learning environment
If employees feel like they’re going to get in trouble for their cybersecurity knowledge gaps, they’re not going to get the most out of training. Instead of feeling confident enough to ask for help, they may feel too ashamed or embarrassed to say anything at all. Gomez and Larson stress that creating a “safe” environment in which to learn cybersecurity is essential for building a culture of security awareness.
At Idaho National Laboratory, Larson has an email address dedicated to cybersecurity questions and concerns. Employees can report phishing emails to the address, but they can also ask general cybersecurity questions. Larson’s team will help employees with everything from how to properly set-up a router to the benefits of using a VPN or password manager. The key message behind this system is that the cybersecurity team is truly there to help employees safely navigate the web — not to get them in trouble, report them or judge them for what they don’t know.
Never underestimate the power of empathy
A sense of empathy is also critical for building a safe learning environment. Gomez likes to stress that literally anyone can become a victim of cyberattacks. This helps dispel the sense of shame or embarrassment that an employee may be experiencing in the wake of a security incident. “Belittling people does not change behavior, it puts the fear factor in them. I like to ask them, ‘Why did you click?’”
In many cases, the answer to that question lies in business practices that conflict with cybersecurity. For example, if staff feel pressured to respond to an inquiry right away or have to have a clean inbox at all times, then they’re more likely to fall victim to the “click before you think” mentality that scammers prey on. It’s this empathetic, solutions-oriented approach that shows employees you’re on their side.
Phishing simulations & training
Inspire staff to be security-aware, everywhere
Protecting your company from cyberattacks starts with building a culture of security. In today’s modern workplace, almost all of your staff — both technical and non-technical — will have access to internet-enabled devices. While these devices make their jobs easier, they also create countless entry points for intruders. That’s where security awareness comes in.
The more your front-line staff knows about basic cybersecurity best practices, the more they can protect themselves from would-be attackers — both at work and at home. If you’re looking to strengthen cyber awareness at your company, Donna Gomez and Tomm Larson shared some excellent tips with us during the Infosec Inspire Cyber Skills Summit. We covered the highlights in this article, but we recommend you check out the video for even more action-ready cyber awareness tips!
In this Series
- Influencing security mindsets to build a culture of cybersecurity
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization