Effective Security Training Requires Change in Employee Behavior

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow

Many organizations spend countless hours and resources on training their employees, only to find that their business has suffered a data breach caused by human error. Despite the quality and frequency of a security awareness training program, if employees are not engaged in training or feeling a sense of motivation to protect their organization, the training is useless. An article on ZDNet takes a look at why security training is ineffective unless it changes employees’ behaviors.

According to Laura Bell, founder and chief executive officer of SafeStack, there is often a lack of motivation for employees to care about their company’s security awareness program, which results in failure of that program. Bell also explains that until organizations can get their employees to really care about the why, they will never see a change in their employees’ behaviors.

James Turner, security advisor for IBRS consulting firm and founder of CISO Lens also believes that low staff engagement will never lead to positive security awareness training. Turner argues that when an organization attempts to train their employees knowing they have poor engagement, they are essentially asking their staff to “behave completely altruistically for a company that they feel no connection with.”

Turner goes on to explain how some top security executives have successfully improved employee engagement by first training staff on matters that are relevant to their personal lives. For example, by first training employees on personal e-safety, which includes topics such as privacy issues with Facebook, safe internet banking and how to talk to children about internet issues including cyberbullying, employees start to become more engaged. When an organization shows they care about their employees not just at work, but also at home, it motivates employees to return the favor and protect their organization as well.

Not only is it crucial to get employees engaged, but it is also necessary to ensure that their awareness of risks doesn’t lead to fear mongering.

We’re interested in just making sure that you don’t think that the internet is a bouncy castle where nothing’s going to go wrong.” – James Turner

Using company culture to build resilience
Cultural factors play a vital role in improving an organization’s cybersecurity resilience.

According to research from Australia’s Defense Science and Technology Group (DST) and University of Adelaide, allowing employees to exhibit more individualism in the workplace may help them better spot a phishing email.

The Australian government’s Stay Smart Online program encourages employees to “Ask out loud” when they are unsure of something. Giving employees the cultural permission to discuss a potential threat to the organization with a co-worker should be looked at not as a weakness, but rather a way to protect the organization, according to the program.

Talking through your concerns out loud with someone else can reassure you and help to identify messages that may be fake before you click a malicious link or give away any personal information.”

Another noteworthy discovery made from a separate DST-Adelaide research team is that employees suffering less workplace stress and who were more personally resilient had better information security awareness skills.

Another organizational problem that needs fixed in order to improve cybersecurity issues is management expectations.

Research conducted by the University of Otago in 2015 found that employees who fell for a phishing attack were typically away from their desk, using their mobile device, not opening an email in full and working outside of business hours.

While there is certainly convenience in checking emails at all hours on a mobile device, expecting employees to do so may result in poor security decisions by the employee.

Employee Awareness
Turner says that you want your employees to be at a “relaxed alert state”, where they are aware of both their actions and the environment. At this state an employee can spot something in an email that seems wrong and leads them to a “specific alert” state where their attention is grabbed, and the employee can address their concerns out loud with a co-worker.

Although it may seem ideal to be at a “specific alert” state at all times, this can be mentally exhausting for an employee. For this reason, the “relaxed alert state” is ideal.

Security Awareness Training
Nigel Phair, director of the Centre for Internet Safety at the University of Canberra believes that it is important for employees to understand what impact technology has on their organization, whether that be positive or negative.

Phair wants employees to know that they are an organization’s greatest strength when it comes to online security; acting as the eyes and ears of the organization.

Staff members need to understand the reasons behind security decisions, and the relative risks involved in different transactions. They need to understand, for example, that while the data on a device might be encrypted, losing that device still means losing an expensive corporate asset.”

Bell also believes that employees need to be aware of accidental and malicious risks, which is also a cultural issue. The assumption that bad things won’t happen to an organization because nobody in the world is cruel enough to do something malicious is a major problem.

It is important that a security awareness training program teaches employees the necessary skills and how to sustain those skills in order to protect their organization.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.