Influencing security mindsets to build a culture of cybersecurity
Cybersecurity specialists aren’t the only people who play an indispensable role in protecting businesses from cyberattacks. Every employee who uses the internet is also on the front line, and in today’s high-tech workforce, that’s almost all of them!
Despite their role as cyber-gatekeepers, many employees haven’t benefited from cybersecurity training. Instead of looking at that as a weakness, think of it as a major opportunity for your cybersecurity team to teach cybersecurity best practices and build a culture of security.
At the Infosec Inspire Cyber Skills Summit, we had the opportunity to speak with two leaders in corporate cybersecurity training. Donna Gomez is a Security Risk & Compliance Analyst at Johnson County Government in the State of Kansas. Joining her was Tomm Larson, Cyber Security Awareness Lead at Idaho National Laboratory.
Video 1: Creative and fun approaches to training
Let’s take a look at how they built thriving security cultures in their organizations.
Understand your employees’ needs
There are tons of prepackaged lessons out there for teaching security awareness, but the best place to begin is by asking your employees what they’d like to learn. Gomez does this by using surveys after every lesson. “Making somebody feel heard is the biggest thing because needs analysis and meeting their needs is the biggest way to encourage a change in behavior.”
After each training, she wants to know “what was missing?” and “what do you want to know more about?” By getting feedback directly from her employees, she’s able to tailor additional lessons to fit their needs and learning objectives. Her employees know that she’s listening and wants to help them learn.
Make security awareness relevant
Without real-world examples, security awareness training may feel disconnected from everyday life in the office. That’s why Tomm Larson strives to connect training with current events. “I scour the headlines on a regular basis looking for news that will impact my users,” he says. “Like the Twitter attack — apparently that’s a new phishing attack that’s becoming more popular amongst criminals, and so I wanted to let my users know this attack is out there.”
Larson also drives home the point that cybersecurity isn’t just a workplace concern — it’s also something that impacts his trainees in their personal lives. This connection between work and home life helps employees understand that cybersecurity concerns are everywhere and that they always need to be on alert for potential attacks.
Teaching security awareness for different learning styles
Visual, auditory, tactile: there are a variety of different learning styles. Gomez and Larson agree that security awareness training should be geared towards different learner preferences. That means including a variety of different exercises and lesson formats like videos, animations or microlearning moments. Not only is this an effective way to teach the lessons, but Larson explains that it’s also an excellent way to build rapport with your colleagues. His curriculum includes different kinds of media and content so that learners can choose what works best for them. They also use activities like games and tournaments to make cybersecurity fun and engaging.
Video 2: Building trust
A strong teacher-student relationship is founded on trust. That’s why Gomez and Larson emphasize the importance of building trust with your employees. However, that can be easier said than done — especially if the learning process includes lots of tests, quizzes and assessments.
For that reason, both Gomez and Larson have eliminated tests from their security awareness curriculums. Instead, Larson allows learners to self-assess their own cybersecurity knowledge to identify opportunities for future learning. He also runs monthly “drills,” much like fire drills, where employees can practice what would happen during various cyber-attack scenarios. No one gets in trouble for clicking on a “drill” phishing email—it’s a learning opportunity, plain and simple.
Create a safe learning environment
If employees feel like they’re going to get in trouble for their cybersecurity knowledge gaps, they’re not going to get the most out of training. Instead of feeling confident enough to ask for help, they may feel too ashamed or embarrassed to say anything at all. Gomez and Larson stress that creating a “safe” environment in which to learn cybersecurity is essential for building a culture of security awareness.
At Idaho National Laboratory, Larson has an email address dedicated to cybersecurity questions and concerns. Employees can report phishing emails to the address, but they can also ask general cybersecurity questions. Larson’s team will help employees with everything from how to properly set-up a router to the benefits of using a VPN or password manager. The key message behind this system is that the cybersecurity team is truly there to help employees safely navigate the web — not to get them in trouble, report them or judge them for what they don’t know.
Never underestimate the power of empathy
A sense of empathy is also critical for building a safe learning environment. Gomez likes to stress that literally anyone can become a victim of cyberattacks. This helps dispel the sense of shame or embarrassment that an employee may be experiencing in the wake of a security incident. “Belittling people does not change behavior, it puts the fear factor in them. I like to ask them, ‘Why did you click?’”
In many cases, the answer to that question lies in business practices that conflict with cybersecurity. For example, if staff feel pressured to respond to an inquiry right away or have to have a clean inbox at all times, then they’re more likely to fall victim to the “click before you think” mentality that scammers prey on. It’s this empathetic, solutions-oriented approach that shows employees you’re on their side.
Inspire staff to be security-aware, everywhere
Protecting your company from cyberattacks starts with building a culture of security. In today’s modern workplace, almost all of your staff — both technical and non-technical — will have access to internet-enabled devices. While these devices make their jobs easier, they also create countless entry points for intruders. That’s where security awareness comes in.
The more your front-line staff knows about basic cybersecurity best practices, the more they can protect themselves from would-be attackers — both at work and at home. If you’re looking to strengthen cyber awareness at your company, Donna Gomez and Tomm Larson shared some excellent tips with us during the Infosec Inspire Cyber Skills Summit. We covered the highlights in this article, but we recommend you check out the video for even more action-ready cyber awareness tips!