In theory, almost everybody understands how important it is to safeguard business-critical information. Regardless, incidents happen on a regular basis that could be avoided with basic security measures. Just look at our top five data leaks (the top five so far in 2016, that is): two of those cases are totally ridiculous.
At the top position — tops for the amount of leaked data — is the government that let 5 million records with names and social security numbers walk out the door, stolen along with the laptop on which the data was stored. In fourth place is the medical lab that failed to protect six hard drives and nearly 1 million client records containing names, addresses, SSNs, and health data.
In both cases, human carelessness opened the door for criminals. The people who worked with the data simply didn’t bother to keep it safe. The moral of these stories is clear and obvious: Your business security must go beyond software and include training for every employee.
That’s right: every single employee. As we all know, any system is only as reliable as its weakest link. But “employees” is an abstract notion. They shouldn’t be considered as a uniform mass. They are specific people, individuals, with varying degree of technology awareness, performing various tasks, and possessing individual understanding of their jobs and their responsibilities to the company. Which is to say, they need to be addressed in various ways.
Therein lies the stumbling point for the creators of various training programs. They tend to attempt some universal message explain to everybody at once how information systems work and how to prevent leaks. The message is delivered all at once, over a short period of time — say, an hour and a half. After that, the trainers dedicate perhaps an hour to motivating people to comply. Later, to trainers’ great surprise, nothing whatsoever changes in their companies.
We analyzed a few such programs and came to conclusion that they are inefficient because coaches speak about the wrong things to the wrong audience.
People who are tasked with public relations stop listening around the third minute — as soon as they hear how dangerous it is to open letters from unknown sources. Most of the other employees stop listening around minute 15, upon hearing how HTTPS is more secure than HTTP thanks to SSL and TLS protocols…
Managers use their tablets to respond to urgent e-mails throughout the lecture, and top executives might spare a moment to wonder why should have to sit through all these petty details. When the training session is over, everybody returns work cursing the wasted hours and rushing to make up for lost work time.
This manner of information delivery obviously makes no sense. People get hit with a barrage of information, much of it irrelevant to their specific jobs. Will this knowledge ever come up in practice? If it does, will anyone remember what they just heard in training?
With the above problems in mind, we took a different approach developing our own cybersecurity awareness program for employees. As a result we have a proven training program. We’ve seen that it really works, and recently a respected Spanish cybersecurity magazine awarded a trophy to a part of Kaspersky Lab’s program, the CyberSafety Management Games.
We began with two basic principles: first, avoid abstract information and focus on certain practical skills. Second, instruct different groups of employees differently.
For example, front-desk employees simply do not need to delve into certain technical details; those employees attend interactive online lessons that present scenarios they actually face in their day-to-day work. A top manager doesn’t have the time or patience to listen to a lecture like a university student but will get highly engaged in a simulation, defending a company similar to their own against theoretical security threats. In each case, the employee is eager to learn what they got right and wrong, and why.
In short, we use the right approach for every group, showing every employee how they contribute — and how to contribute — to the security of the organization. We translate the information from the technical experts’ language to the vernacular of business, and we engage employees in exercises to bring home what to do in a variety of situations, why the right way is right and why the wrong ways are wrong. This approach immediately raises the likelihood that the knowledge gained will be used — efficiently — in real life.
Learn more about our cybersecurity awareness program here.