Employees are fast becoming the weakest link in the defence against cybercriminals. Sometimes common sense can only go so far, as you need to make sure that best practices around security don’t go in one ear and out the other. Whether through innocent mistakes or because they were targeted for their access to sensitive information, employee error can easily open the door to malware or information theft.
Successful attacks often involve poor processes and exploit human tendencies. To reduce an organisation’s threat surface, the focus of regular employee training needs to shift from reaction to prevention. Pure compliance-driven approaches have proven to be ineffective for organisations when used for employee security training, usually because it isn’t interesting or personal enough to capture employees’ imaginations. Businesses should focus on educating employees about how to protect their personal data, thereby encouraging employees to enact further security-orientated practices in the workplace.
Employee training may take different forms, including the increasing practice of “gamifying” cybersecurity education programs. Gamification is the process of using gaming mechanics in a non-gaming context, leveraging what is exciting about games and applying it to other types of activities that may not be so fun. Designed with elements of competition and reward, gamification programs are becoming popular because they can be used within a variety of industries.
Many businesses currently use gamification in such areas as customer engagement, and employee education and training to drive performance and motivation. Gaming elements include one-on-one competitions, rewards programs, and more.
There are two key ways business owners can use gamification as a way of addressing cybersecurity in their organisation:
1. Make training more exciting and engaging for employees
Using gamification can help businesses improve their cybersecurity in numerous ways, including showing employees how to avoid cyberattacks and learning about vulnerabilities in software.
Global consulting firm PwC teaches cybersecurity through its Game of Threats.  Executives compete against each other in real-world cybersecurity situations, playing as either attackers or defenders. Attackers choose the tactics, methods, and skills of attack, while defenders develop (defence) strategies, and invest in the right technologies and talent to respond to the attack. The game gives executives an understanding of how to prepare for and react to threats, how well-prepared the company is, and what their cybersecurity teams face each day.
Gamifying will help make the training process more exciting and engaging for employees, increasing employee awareness of cybersecurity practices, including how to deal with attacks correctly.
2. Offer incentives and rewards to encourage desired behaviours
Human error is responsible in most security breaches, with employees feeling pressured to complete work by certain deadlines and as quickly as possible, which can result in them overlooking important company policy regarding security.
For example, running so-called PhishMe campaigns can be a great way to train employees on better email security. These include regular phishing emails sent across the organisation, testing the staff’s response and action.
Gamification lets businesses reward those employees who follow security procedures and adhere to the correct security guidelines, which will further promote good behaviour. This may take the form of employees receiving a badge or recording points, which are then displayed on a scoreboard for the office to follow. In some organisations, after employees reach specific milestones, they are presented with a material reward, such as a gift voucher.
This system also allows for the identification of those who display poor behaviour within gamification and may result in the employee needing to complete further cybersecurity training. Recognising and rewarding employees when they do the correct thing leads to continued positive behaviour, motivating employees to undertake safe practices and resulting in a more cyber-secure working environment.
At the heart of any security awareness training is education to teach employees a shared sense of responsibility for the data they work with, and the data they create and use at home. All security awareness campaigns should become part of an ongoing process, not a one-time initiative. Leaders of any business, big or small, can sometimes feel they lack the resources needed to drive an effective cybersecurity education campaign, but this can be done without breaking the bank.
- Visual aids work well. Start with some small videos, posters and/or contests as a reminder to drive the message home for all to understand that security is everyone’s responsibility.
- ‘Fear of God’ tactics do not work. The business goal should be to build a culture of cyber awareness, so treat this like a marketing campaign with the intent to persuade and change the behaviour of an employee.
- Short and concise work best. Long emails always get ignored. Keep them short and fun, and ALWAYS ensure it is a top-down approach. Employees look up to their leaders. If the leaders do not embody a cyber-secure culture, why should the employees? The aim is to educate employees about best practices, not force them to be cybersecurity experts. Make it fun and have a laugh, so everyone can learn at the same time.
- Reinforcement and follow-up are key. Training is a constant; learn from what works and re-educate as needed. Re-test your newly onboarded, as well as existing, staff members on whether they fall for a phishing email, and check to see how many employees still fail to recognise a fake email. Encourage communication to report a fake and call out departmental groups that may be lagging. The aim is not to single people out, but rather create some healthy rivalry within the organisation.
Eliminating cyber risks in any business is an ongoing process, but it can be managed. We need to foster a way for employees to call out where they question something and re-educate as needed. If employees walk away from the security awareness program questioning before they click on something malicious, you have moved the needle towards being more secure.
[Palo Alto Networks Research Center]