Skip to main content
Opens in a new tab External site

August 2022 / 5 Min Read

Cyber Awareness: Success Starts with Meaningful Engagement of People

 

Cyber training often fails to engage employees, resulting in poor awareness and education. Focus on the human factor for effective programs.

 

Key Takeaways

  1. As threat actors continue to grow in sophistication, they still rely on humans to fall victim to their schemes.
  2. In today’s remote work environment, the cyber security imperative is more important and multifaceted than ever, and educating and engaging employees is critical.
  3. Learn how to address the human factors in cyber security and ultimately create more effective cyber training and awareness programs.

Cyber security efforts have long been focused on the technology element, but companies are missing out if they fail to focus on the human factor as well. That’s because, as threat actors continue to grow in sophistication, they still rely on humans to fall victim to their schemes, especially in the ongoing remote-work environment.1

Unfortunately, existing cyber security training programs can typically be check-the-box exercises that fail to meaningfully engage employees — resulting in a lack of awareness and education when it comes to cyber security vulnerabilities and individuals’ roles in their company’s cyber security defenses. In today’s remote work environment, the cyber security imperative is more important and multifaceted than ever, and educating and engaging employees is critical.

Learn more through these insights on best practices, which will help information security and information technology leaders address the human factors in cyber security and ultimately create more effective cyber training and awareness programs:

Q: What are the gaps in companies’ employee cyber security awareness, training and education programs?

A: For many companies, it depends on where they are on the cyber security continuum and also in their cyber journey. Companies that are earlier on in the process are often focused more on the tech and IT side, which are foundational building blocks of a successful cyber security strategy. But across the board, companies should invest more in the human element. Organizations with comprehensive cyber education programs do that, because when you look at cyber incidents, breaches, network compromises, malicious insiders or former employees, there’s one common denominator — it’s humans. And several lines of defense are managed and maintained by humans. Yet the focus with many companies is often on the tech and infrastructure.

The challenge too is that existing trainings and education approaches are not always effective. Consider that employees are busy, focused on their day-to-day work, and inundated with trainings from various parts of the organization. Trainings should be more effective, and companies should also do more to influence behaviors and mindsets. It is not enough to tell people what to do; the concepts and behaviors, and the “why,” should be more deeply embedded in this work.

Q: What should companies be doing differently when it comes to cyber security trainings and awareness, especially in the remote work environment?

A: A way to effectively influence the human element is to build creative, exciting and engaging programs. They should be compelling and interactive — not just presenting or sharing content. A programmatic approach is effective, rather than one-off trainings, and that starts with knowing what the learning objectives and desired behaviors are, so that all the exercises that follow are designed to meet those objectives and produce those outcomes. The exercises or activities can be computer-based, especially in today’s environment, but still have the feel of in-person trainings.

  • Consider lunch ‘n’ learns, with guest speakers and storytelling — stories resonate with people. Stories help people understand an idea or behavior in context, and it’s far more engaging and interesting.
  • Tabletop exercises, which bring together specific business groups to discuss different scenarios, are great. Keeping them grouped at the business level, such as C-suite, HR, legal, and so on, rather than more broadly, helps people connect at an individual level. It is more relevant to them and their work, and that’s likely to be more successful. Those conversations should be open, challenging, and engaging. There are also a lot of technology simulations that can be used in those trainings, simulating phishing for instance. Simulations are powerful — the experiential element helps.
  • Also consider fireside chats, which facilitate an open and engaging dialogue.

When it comes to cyber security, there are several guiding principles that make it more effective: Consistency, conformity and pervasiveness.

Another key piece of this is ensuring the environment and tone is not punitive — it should be an open learning forum. If it’s punitive or disciplinary, people won’t engage and will feel threatened.

It’s also critical to include a call to action. That way, employees are not only given new information — the organization is asking them to do something. They are empowered to take action, have an impact, and have a specific role and responsibilities. That changes the way employees think about things and how they behave at the keyboard. It also helps to let employees know they can use their learnings to protect their home network as well.

Validation is important — companies need to validate understanding and the effectiveness of the training, and work to continually improve. Cyber security is always evolving, so a company’s response, and their training program, should be fluid and dynamic. It should never be one-and-done.

Q: How else can companies build or support better cyber security training?

A: A lot of it is cultural. Cyber security really needs to be a top-down priority, starting with leadership. In some organizations, leaders support certain levels of controls and cyber security procedures for everyone, but then find them cumbersome and tend not to adopt them themselves. That’s something we all have to change and get used to. The tone at the top is really important.

Making training relatable and relevant goes a long way across the organization, from the C-suite on down. The messages should be tailored—if a training for a retail company uses examples from higher education, it’s less likely to carry the weight and depth of an industry-specific perspective. People want to know what their industry peers are experiencing and what the threat context is, from lost revenue and lost opportunity to lack of trust.

People also need to be aware of the growing sophistication of cyber attackers. Phishing emails are now written in the tone and voice of the person’s boss -- so the recipient is more likely to respond and compromise cyber security. To combat that, training helps, but also a cyber security culture with a willingness to question anything that looks out of the ordinary – to recognize red flags that just don’t look right. In those cases, clicking through an annual training is unlikely to change the outcome — it’s more about cultural and behavior change.

Cyber security is always evolving, so a company’s response, and their training program, should be fluid and dynamic. It should never be one-and-done.

Q: What else is at the top of the cyber security training and awareness agenda?

A: Making training more targeted through specific and engaging exercises, focused on real threat and risk scenarios. Companies can identify threats and weaknesses in their environment and address them in strategic, targeted ways—that increases reach and relevance with employees. Often companies are focused on server vulnerability or IT issues — but cyber security is much broader than that. A long-running, robust, evolving program that speaks directly to the people of the organization and their challenges makes a difference.

1  Click And Despair: Remote Workers Come Under Cyber-Attack

Successful awareness, training and education principles and practices

  • Take a programmatic approach, rather than one-off or annual trainings.
  • Engage people with various formats, such as tabletop exercises with different scenarios, lunch ‘n’ learns, simulations and fireside chats.
  • Incorporate stories and anecdotes to help people connect to the cyber security content.
  • Segment trainings by business unit and customize the content and messages to make them more targeted and relevant, instead of companywide trainings.
  • Make sure the tone of the trainings is open and engaging—not punitive.
  • Leave people with a call to action so they feel empowered and have clarity on their role and responsibilities when it comes to cyber security.
  • Conduct follow-ups and validation to ensure the trainings are effective and objectives are being met.
  • Revisit the program often and find ways to evolve and respond to changing cyber security vulnerabilities.
  • Have leadership communicate the importance of engagement from colleagues and participate in the trainings.

General Disclaimer
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.