What I call Off-the-shelf “compliance-focused” security awareness programs are designed to be a “one-size-fits all” solution that is quick to deploy to all staff. However, the problem I often see with these solutions is that they usually include content that is intended to meet strict compliance frameworks like GDPR, COBIT and PCI. This is fine if you have a major concern about the cost of non-compliance with these frameworks.
In fact, some would argue that a framework like GDPR should always be a concern to every organization, since the penalties for any size of organization that violates them could be catastrophic. This is one of the biggest fear factors used to sell these programs. And in an ideal, homogeneous business world, that might be the an important business risk to consider. But in reality, I see a lot of small businesses that have much more urgent issues to resolve that can be more impactful on their survival than non-compliance with a regulatory standard or framework.
Now, I’m not saying compliance isn’t important. But even though the content in “compliance-focused” security awareness programs is intended to help reduce cyber security risks, the truth is, their content can actually be inappropriate for many small businesses. For example, one business manager I know in a medium-sized business told me that they implemented a mandatory training program using an off-the-shelf awareness product, and in the end, because of the “one-size-fits all” best practices the product taught, the security manager literally had to send out a bulletin to all staff saying, “You know the part of the training program that said to always “do this” when using your mobile devices?” …Well, you can’t do that in our network environment, so you should disregard that part of the training, and ‘do this’ instead”. How confusing is that for employees? If your primary goal right now is to just get people to stop clicking on stuff, then, you need a more practical security awareness solution that not only provides deep learning in the key skills employees need for analyzing threats and avoiding them, but you have to be able to modify the content so the guidance is relevant, and the terminology and policies are appropriate to your team. So, to make sure you are indeed developing your staff’s skills in analyzing threats, you really need an interactive awareness solution that lets you simulate a real threat… maybe even ones that have actively targeted your team. This is where a gamified learning solution provides much more value than “compliance-based” awareness products. If you can get an off-the-shelf awareness training program that builds skills instead of “giving tips” or “do’s and “don’ts” then it will provide much better value in terms of changing employee behavior. So, if gamified learning sounds like something that could help your program avoid the overwhelming amount of content delivered by a full “compliance-focused” training solution, and instead focus on engaging people to effectively stop clicking on things or falling for scams, then please reach out for a free trial of the Click Armor Active Awareness solution at clickarmor.ca/contact If you found this episode interesting or valuable, please subscribe to the Click Armor Youtube channel, or sign up to receive updates. I’d like to hear your feedback on any experience or concerns you have with respect to compliance-focused security awareness training, especially if you’re in a small business or Managed Service Provider that services SMBs.