One of the most common questions I get asked working for a security awareness training company is, how do I make employees more engaged with and care about the training? I get it. Who wants to take even more time doing “busy work” when you’ve got a real job to do?
As my co-worker Perry Carpenter says in his book, Transformation Security Awareness, “They may be aware and still not care.” Here’s how you make them care.
There are two keys: First, imparting the importance and second, incentives.
The Importance of Security Awareness Training
Part of the problem is that most users have no idea how big of a role security awareness training can play in their fight against social engineering and phishing as compared to other defenses. Users are told they have to do a “hundred different things” to fight computer crime, such as “Make sure your software is patched”, “Make sure to lock your desktop when you are away”, “Don’t click on unexpected file attachments”, and “Make sure your password is long and complex”. Users hear so many rules and recommendations that they can’t figure out which one is or isn’t as important as another. There is very little teaching of relevance in the computer security world. It’s as if we treated playing with Nerf darts the same as playing with real guns. Both can cause injury, but one is more likely to result in serious, long-lasting injury than another.
But if you share the facts, that nothing could be as important to the cybersecurity of an organization as fighting social engineering (and show them using data and pictures), it helps to provide relevance and focus. According to nearly every study done on computer security crime for over a decade, social engineering and phishing are responsible for more cybersecurity incidents than any other cause. Social engineering and phishing are responsible for 70% to 90% of security breaches. Unpatched software is responsible for 20% to 40% of malicious data breaches. Nothing else comes close. All other types of computer crime (e.g., password attacks, eavesdropping, misconfiguration, insider attacks, etc.) amount to just 1% to 10% of malicious data breaches. The figure below shows risk percentages of the top two risks as compared to all the others.
This means there is nothing else that matters as much to reduce cybersecurity risk as focusing on defeating social engineering and phishing. This also means that if an organization doesn’t effectively mitigate social engineering and phishing, nothing else matters.
I don’t want you to just trust me and what I say, although my co-worker, Javvad Malik’s white paper revealed that the top cause of cyber crime was social engineering and phishing in the 100 other threat intelligence reports he reviewed. Just ask yourself and ask your employees to ask, when they have been hacked by a malicious hacker or were infected by malware, how did it happen? Ninety-nine percent of the time, I bet you and they will say it was either social engineering or unpatched software. When employees learn that social engineering is the biggest cyber risk their organization faces, they usually understand why it’s important that they help in fighting it.
Incentivizing people to want to take training doesn’t hurt, especially if they first understand and care why they have to take it. Some people like to threaten employees, “Take this training or you are fired!” At KnowBe4, we believe in more carrot and less stick. That doesn’t mean you can’t have penalties for not taking training, but don’t just make it about negative reinforcement. Even if it is something they have to take, I’d rather see whether they took the training as part of a wider review process, such as an annual review. I’m completely open to people taking training as part of determining whether they get a good or a bad review; just don’t make it the sole deciding factor. I’d hate to see an otherwise perfect employee who has never been tricked by social engineering or phishing in real life get a bad review simply because they didn’t take training. But I’m OK with making the training mandatory and noting a negative indicator on their annual review if they don’t take it.
Note: I’ve also heard of bosses who fired people who failed one simulated phishing test. That’s definitely a bit harsh and I don’t recommend it. Policies like those incentivize people who fall for phishing and realize it, to cover it up instead of proactively reporting to IT so the risk can be addressed early and appropriately.
Other Ideas to Engage Employees
Here are some other ideas on how to get employees more engaged in security awareness training:
Offer nothing but a carrot. I know of organizations that offer cash bonuses, up to $1,000, for employees who not only take/pass security awareness training, but who also don’t fail any simulated phishing tests. This is essentially making it part of their annual review process, but not calling it out as solely a negative. This is a chance for someone to make more money, not to lose something promised. Some organizations offer quarterly gift cards to employees who take training and don’t fail simulated phishing tests. I’ve seen organizations pay for pizza parties, gifts, and even mini, nearby vacations.
If the latter idea sounds extravagant, I thought the same when a CEO told me he paid $1,000 to every employee at the end of the year for passing all simulated phishing tests. I told him I could not believe he gave so much money to each employee and how generous it was. He told me that if I believed social engineering and phishing were the top threat to most organizations (and I do), then it was some of the best money he’s spending each year. He said almost no employee clicks on any URL link without investigating it first. No one wants to lose their $1,000. He said in the five years, he’s been offering the money, they’ve been malware and ransomware free, and that isn’t true of any of his closest competitors. He said the $1000 per employee that he spends works better than any antivirus defense he’s paid for in his career.
He said if an organization doesn’t have an extra thousand to give each employee, just give every new employee hired $1,000 less in salary when they come on and offer what you would have given them anyway as part of the competition. He said you end up paying them what you would have paid them anyway, they think you are great for giving them a chance for an extra $1,000 bonus around Christmas time, and it will create a comprehensive culture of security awareness at your organization. I can’t argue with that.
Offer Interesting Training
Most employees have had enough boring, staid training. So, give them more exciting education. For example, at KnowBe4, our award-winning, Netflix-like, The Inside Man series is loved by almost every person who takes it. It’s not going to win an Oscar, but for computer security training, it’s pretty great. The Inside Man uses professional actors with professional production values and a mystery-driven narrative to show and teach computer security defenses. No one can believe that it is training. We have security administrators and employees asking when the next episodes will be out. When does that ever happen with training? Well, it does with The Inside Man.
Switch It Up
Make sure you switch up training content. Try different things. Different people learn differently. At KnowBe4, our extensive content spans across just about every type of learning style you can imagine – videos, documents, posters, quizzes, and even cartoons. Even if someone loves a particular style of learning, say The Inside Man, it can’t hurt to switch it up every now and then. Maybe switch to a cartoon or send around a security training poster, like KnowBe4’s Social Engineering Red Flags PDF as shown below and available for download here.
Don’t Underestimate the Power of a Certificate
It’s amazing what a printed certificate of achievement can do to brighten someone’s outlook. Many organizations recognize employees who go a quarter or year without failing a simulated phishing test with a certificate suitable for hanging. It’s a small, nearly cost-free, action that will result in a tremendous amount of goodwill and feeling of accomplishment in many employees. It’s not the paper they love, it’s the recognition of their accomplishments by an organization that shows it cares.
Offer Free Training for Families
Nothing makes people care more than if you care about them and their families. All KnowBe4 customers get content that is meant to be shared with their families. When mom or dad is sharing tips on how not to be socially engineered or phished with their children, the more likely they are to be better trained for work.
Lastly, you just send simulated phishing emails to your employees and co-workers. Simulated phishing emails used to be seen as sort of taboo. Today, nearly every organization does it and it’s rare to have an organization that doesn’t do it. Simulated phishing is a part of the education process. It reinforces the educational lessons learned and helps employees and IT gauge the effectiveness of their security awareness program. Don’t let criminal phishers be the only time your employees are phished. Plus, it creates a gamification of the training; especially if it isn’t associated with purely negative consequences. If you make it a game, you will get a certain percentage of your employees genuinely engaged who otherwise would not have been.
These are just a few of the ideas that have been shared with me as an employee of a security awareness training organization. Good luck fighting the good fight!