Do you have low employee engagement, no matter what you’ve tried? We’ve all been there: You’ve finally built out what you think is the perfect cybersecurity awareness training program. It checks all the legal boxes, your boss is happy with it, and it didn’t even cost that much!
You launch it with pride. Then, a week later you check and people aren’t completing the training. What is going on?
Low employee engagement means there’s an issue with your program. So, before you send out that mass reminder email, let’s check to see if your program pulls all the levers to engage employees.
If you have a program in place, and you’ve sent employees the notifications to complete the training, what more can you do? You can lead a horse to water, but you can’t make it drink, can you?
Actually, you may have to. “Defensibility” of your security awareness program is now important for several reasons.
Photo by Magnet.me on Unsplash
For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges. (Limited time offer. Normally valued at $999 USD)
Use Promo Code: 6WEEKS
If you experience a breach that involved poor employee judgement, the organization can now be held accountable in any legal actions, and just because you “have a program” doesn’t mean you have done what is needed to avoid liability.
But it also makes sense to go the extra mile to ensure that employees not only complete the training, but that they learn from it. Employee engagement is important in any area, but when it comes to security, it’s especially critical right now that employees learn something from the training.
If employees don’t pay attention or take an active interest in the material being presented during training sessions, they may not retain the necessary knowledge needed to protect your organization’s data from phishing and scams. By upping your employee engagement, you are:
Cyber security training isn’t an employee’s idea of “fun”. Not only does it have a bad reputation for being boring, but it’s also known to be a time-sucker. Your employees are busy, they don’t want to give up hours of their day when they could be finishing a project to complete a simulation of phishing tactics they think they can already spot.
They are always looking for an excuse to disengage with the program because they have more important short term priorities to get to.
The combination of a training program being boring, wasting their time, and being something they can’t learn from automatically drops cyber security down to the bottom of their to-do list. Our job as IT and cyber security professionals is to not only change our employees’ minds, but change the way training is done, to make sure it’s engaging, worthwhile, and purposeful.
If your employee doesn’t handle invoices, does it make sense to test them on social engineering scenarios for invoices? It can actually help many employees to see a relevant scenario that could translate to them in their job, but there should be a way for them to do it in an enjoyable and educational way that respects their intelligence.
If your employee doesn’t handle highly sensitive data, they don’t need to be trained on high assurance procedures. It sounds simple, but a lot of security programs don’t make this distinction, and try to force too much information on employees at one time.
Your security program should include tailoring of content for all different teams, levels, and roles. When building or editing your program, start by analyzing the structure of your organization. What does the risk environment of each team in the organization look like? Who do they normally trust, and who will be impersonated by attackers? What information or systems might be targeted, and what kind of actions should be considered normal versus “out of the ordinary”. Then start building from there. When this is implemented, no one will be doing unnecessary training, and employees will see more relevant and helpful guidance.
An employee is also likely to be more engaged when the risk scenario in training relates to them. Instead of learning about something that doesn’t matter, they are actually picturing themselves in that situation and putting effort into the training. It’s a bonus if you can include names or company partners in the training!
Click Armor allows you to customize your training to names of real people, roles and your organization, to keep your employees engaged. Book a call with us today.
Your employees don’t have hours to spend during their week to complete security training. The size of the program may seem so large that your employees will procrastinate starting it because they know they don’t have time.
It’s easier to put just 3 minutes of their week into testing and reinforcing their cyber security knowledge. By shortening the length of the training sessions, and making them more fun and valuable to them, it will seem much less daunting. A 3-minute challenge can be done while sipping coffee or waiting for a meeting to start.
Making training times shorter doesn’t mean you leave out content, you just have continuous training instead of mass training. Decades of research have shown that when something is studied over time instead of all at once, it’s more likely to stay in one’s long-term memory. So now, not only are employees completing the training, but the information is staying in their brains in the long term. Plus, they come to expect regular shots of valuable information in a fun format.
Another bonus of having continuous short training periods is that you can sneak in updates your training that are timely and relatable to what is going on in the news or among colleagues. If there is a scam going around that your employees need to be aware of, you should be able to easily add it into the next week’s 3-minute challenge program so your employees are ready to defend your business from any attackers.
Gamifying your training is one of the best ways to increase employee participation. But this doesn’t at all mean that security awareness is a game in itself. Far from it. Viewing gamification of security awareness as being a frivolous activity is very short-sighted, and reveals a lack of understanding of human psychology. A gamified program simply uses more compelling psychological drivers, similar to those used in video games, to hold employees’ attention longer, to focus and absorb information more deeply.
By putting typical knowledge into fun, stimulating and interactive lessons, employees are more likely to see the training all the way through. Putting your training into a gamified format allows employees to enter a completely new world and simulation every time they log on to do the training. This allows their brains to be excited and entertained. They start to become curious about what they will experience the next time they open a training session.
A gamified training program also allows the perfect opportunity for immediate feedback. So, when your employees make a decision they can immediately understand the consequences of it rather than just receiving a 7/10 later on their quiz. When they see what happens when decisions are made, they can learn and correct their actions.
Nothing is more fun than a bit of friendly competition. By having your training gamified and conducting activities on a weekly basis, employees can battle against each other every week over the top ten rankings on the leaderboard. It’s also the perfect opportunity to provide incentives to employees that do well.
Employee engagement is essential when it comes to cyber security. By taking the necessary steps to make training more digestible, customizing content, and increasing employees’ motivation through gamification, organizations can be more successful in preventing cyber attacks. Taking small, proactive steps to improve the overall engagement of your team will help keep your corporate data, customers and reputation safe from threats.
So, gamification is actually essential to having an effective security awareness training program, to ensure greater knowledge retention.
This is what we mean by having a “defensible program”.
Sound like a lot to handle? If you’d like extra guidance on adding an effective cyber security layer to your business, we’re here to help.
Book a call with us today to see how Click Armor can provide increased engagement for your employees, and a more visible security culture for your organization that is clearly defensible.
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.