Don’t click on links from email. Don’t click on links from email. This has essentially become a mantra for IT support professionals. But even the most powerful mantra loses meaning if you say it too often.
Recent media coverage of high-profile cyberattacks has raised the average employee’s awareness of cybercrime, but increased awareness does not necessarily equal better security practices. In fact, it’s leading to what some in the industry have termed “security burnout”: Employees are growing immune to security warnings simply because they’ve heard them too many times.
From IT’s point of view, it may feel as if employees just don’t listen to continual directives to avoid suspicious emails and tighten up their passwords. There are two problems with this approach. One is that people will tend to do what’s easiest, whether that’s clicking a link in an email or choosing a password that’s less secure but easier to remember. The second is that employees tend to tune out information that doesn’t impact their day-to-day work lives.
The challenge now is for IT support professionals to build training frameworks that will hold employees’ interest. Below, we present several ideas for doing just that. These tips offer fresh inspiration for employee cybersecurity training—because after all this time, that mantra could probably use a break.
Gamify cybersecurity training
Many businesses have found success through gamification programs for cybersecurity training. According to Forbes, digital consulting group Deloitte has witnessed a considerable increase in requests for gamified cybersecurity training platforms.
Gamified learning has the potential to transform how employees engage with cybersecurity trainings. When Salesforce.com launched its gamified cybersecurity program, the results were pretty outstanding: Participants were 50% less likely to fall for a phishing link and 82% more likely to report suspicious emails.
And you don’t necessarily have to pay a developer to build a gamification program for you, as security software provider ESET hosts a gamified online course you can use for free. According to ESET, the course features “a noble samurai protecting the city from attack, a secret spy agent protecting valuable secrets and more.” There’s a new take on security awareness for you!
Reward positive behavior
Let’s face it, cybersecurity isn’t exactly fun. On the contrary, it can be scary and upsetting. And unless you’ve triaged a data breach yourself or happen to work as an IT consultant, you probably think the hype is a little overblown.
The cybersecurity community often relies on fear tactics to spur employees into action—for instance, through warnings like “Do this, and something bad may happen.” But there’s evidence this approach isn’t working. A recent Virginia Tech analysis of leaked passwords showed that many users are choosing very poor passwords such as “123456,” while almost 52% repeat passwords across accounts. Meanwhile, nearly 90% of all cyberattacks can be attributed to human error or negligence.
Clearly, something isn’t connecting. Perhaps it’s time IT support professionals changed the message of cybersecurity training so it’s more enjoyable to sit through. We recommend that businesses offer small rewards—such as Amazon gift cards—to praise employees for good cybersecurity hygiene. Even tokens like lunch with the CEO or a choice parking spot can be effective. When the motivation is to work for a reward rather than against a looming threat, employees will be less likely to tune out and turn off.
Increase frequency, reduce content
When cybersecurity training amounts to nothing more than a long PowerPoint presentation once a year, it’s no wonder the lessons don’t stick. Not only does employee engagement suffer during such sessions, the information presented may become outdated in a matter of weeks.
Instead, convert long sessions into bite-size snippets of information distributed in a variety of different formats, including newsletters, emails and presentations. Use interactive techniques to hold employees’ interest during in-person training; for example, ask questions, poll the room and use props to convey your message, all the while keeping your tone informal and approachable. Distributing your content using a variety of speaking techniques and a range of formats will prevent “death by PowerPoint.”
Of course, these suggestions only work if you have the available resources to make major changes to your current training program. If that’s not the case for your business, don’t worry—managed service providers and IT consultants often take the lead on these kinds of training sessions, creating materials to avoid employee burnout. In fact, MyITpros has created a cybersecurity infographic that you can download for free and distribute among your employees today.
Ready to take your cybersecurity training to the next level? Call our IT consultants now and say sayonara to worn-out security mantras.