Cybersecurity awareness trainers can learn a lot from general self-help books, IT World Canada’s MapleSec online summit was told this week.
Erin Hutchison, product marketing manager for cybersecurity services at the Canadian Internet Registry Authority (CIRA) – which oversees the .ca domain – said it doesn’t matter that the books don’t deal directly with cybersecurity,
What matters, she argued, is that some of their lessons can help in awareness training.
Awareness training continues to be vital. According to a just-released CIRA survey, most respondents (93 per cent) said their firm conducts cybersecurity awareness training, and 43 per cent said it is mandatory for all of their employees. However, only 46 per cent said awareness training is done quarterly. Forty-one per cent said it is only done once a year.
Meanwhile, Hutchison noted, another survey found 56 per cent of IT leaders believe employees have picked up bad behaviours since they started working from home because of COVID-19.
So how are self-help book themes helpful? Hutchison cited these three books:
♦the classic How To Win Friends and Influence People. The lessons: Employees can be motivated to complete training.
Talk in terms of other people’s interests, said Hutchison. Trainers must put themselves in users’ shoes and understand their needs. That means relating lessons to the particular jobs employees do.
Also, managers shouldn’t criticize, condemn or complain about users’ mistakes. “Praise the slightest improvement, and use encouragement,” said Hutchison. Even if a user falls for a phishing simulation, give them an opportunity to learn from a review. Let them see what red flags they missed. That helps turn a failure into a learning moment.
Few employees rejoice at the prospect of awareness training, she said. So she passed on these tips for launching a training program:
-share employees’ progress: If it’s a company-wide training program, at the end of the week report on how departments are doing (Human resources has completed X per cent of the course, marketing has completed Y per cent). Perhaps offer an incentive like gift cards for the department that completes the course first.
-remind employees why the company mandates training – that everyone plays a part in reducing risk. “This is absolutely critical,” Hutchison said.
-make training fun. Firms can buy or make a gamification platform, which offers rewards in the form of points. It can spur friendly competition between users or departments.
Hutchison added this caution: When running spear-phishing tests, avoid sensitive topics such as sending test emails with attachments promising details of a corporate bonus. Employees who fall for it will likely see this as an unfair trick. While this kind of phishing email is used by attackers, it’s better to warn users to watch for such a tactic rather than have the employer try to do it.
♦The Power of Habit. Lesson: Get in the habit of reporting incidents to IT.
Habits, the book says, work in three-step loops – a cue, which triggers a routine, which leads to a reward. So, for example, an attacker wants a victim to look at an email (the cue), react to an urgent request (the routine), which leads to an action (open an attachment in expectation of a reward). The goal of training is to break the habit by educating the employee to notice a different cue – spelling mistakes, errors in the sender’s address – and set up a new habit of reporting the suspicious email.
One way to reinforce this new habit is to convince employees to pause before doing sensitive tasks, like reading emails. They should trust their instincts if they detect something’s odd.
Hutchison also passed on these tips helping users report phishing attempts: If IT can, add a button to the corporate email client that sends suspicious mail to the IT team. And make sure IT acknowledges the effort by replying. Similarly, make sure there are ways to report other security-related incidents.
♦The Life-Changing Magic of Tidying Up. Lesson: Clean up your home’s IT network and computer.
The book argues re-organizing your home can cause dramatic changes in lifestyle. With more staff working from home a clean computer will also improve cybersecurity.
So in addition to encouraging employees to stop sharing passwords with family members, they should also be encouraged to get rid of old and supported devices at home, make sure their Wi-Fi is password-protected, and – like at work – ensure sensitive corporate documents aren’t left on a desk.