At Layer 8 we spend a lot of our time having conversations with groups of employees about what it means to be a protector of digital information at home and at work. We always start our sessions by explaining that we won’t be showing a PowerPoint and we won’t be talking about rules; what we aim to do is to clear a space to allow us to talk about our shared attitudes towards security, be honest about what we don’t know, and find some security behaviours that we can all buy into. The aim of these sessions is always to create proactive defenders who understand the strategies underpinning phishing and ransomware, and feel confident enough to spot and report unusual email requests or potential phishing attempts, rather than clicking through dangerous links in order to find out more.
Contrary to Popular Belief End-Users are Engaged
We’ve found out a lot about the way non-tech people feel about cybersecurity this way, and we always end our sessions feeling hopeful that we are not a society ‘overwhelmed with messages about online perils’ or hopelessly mired in an ever more complex world of cybercrime. Instead we have learnt that people are deeply concerned about online security, that they are keen to be cyber-savvie, but they lack confidence and feel that they have no way of sharing their concerns, talking about the issues, or learning from each other.
3 Ways Employees Can Feel Disempowered by Security Awareness Training
- Nothing I can do will make any difference – many end-users have talked to us about attempts they have made to behave more securely but – in the absence of ongoing support, or feedback – they felt that their efforts were inconsequential.
- Every time we get on top of a new kind of attack it changes, so why bother? – people feel demoralised by feeling they’re pawns in a game they don’t know the rules of, and so they can’t possibly win.
- I don’t know who the hackers are and why they’d be coming after me – for many employees there’s no clear picture of who the ‘villains’ are; they lack the big picture and don’t understand why it’s important to protect data anyway.
4 Ways to Counter Disempowerment and Start Winning the Phishing War
- Allow employees to be protectors rather than responders – if security means following rules the hackers will always be one step ahead, leaving employees feeling disempowered. Reduce the vulnerability by recruiting them to your cause; ask them to be alert, share the responsibility – and it’s surprising how many phishing incidents are stopped in their tracks.
- Replace rules with conversation – I’ve yet to meet an employee that doesn’t want to talk about security, but I’ve met plenty who don’t want to follow rules they don’t understand. We have found conversations make a huge difference; put security on the agenda of team meetings and give people the opportunity to get involved.
- Talk about who the enemy is, and what they’re after – the truth is that we all share our data online and we’re all dependent on each other to keep our personal information secure. Try talking about the supply chain for stolen data and working together to see the bigger picture.
- Find simple ways to create a more secure working environment – the top causes of data breach are not cybercrime, they’re carelessness when forwarding emails, loss of information by using incorrect postal addresses, and loss of devices. Kick-start your proactive security culture by developing behaviours over vulnerabilities you can control; offer positive feedback when things work, and add one behaviour at a time to develop a comprehensive strategy.
Layer 8 works with large and small organisations to develop security teams made up of every single employee, through spreading viral conversations about security. We have written a white paper on the subject called: Developing Security Culture: 8 practical principles for effective change which can be downloaded from our website.