Cybersecurity Awareness Training: How To Choose Training That Works For Your Organization

Adapting to the changing needs of a rapidly evolving workforce

Technological shifts and Covid-19 restrictions have pushed the workforce to new levels of remote work as well as new collaboration platforms. The training industry must adjust to these changes and the needs of a rapidly evolving workforce —one that is younger, more mobile, more diverse, and increasingly more connected. In 2020, cybersecurity attacks grew exponentially. Employee training must catch up with these shifts and increasing cyber-attacks. 
 

Human Resource professionals need to be aware that these new shifts require more focus on cybersecurity, cybersecurity education, and the new solutions in the marketplace that help address these constantly evolving needs. 

The Evolution

The employee training industry has changed over the last 10 years. The shift from live in-person to recorded and interactive computer-based training managed by learning management systems (LMSs) was viewed as a huge step forward. Computer-based training was an improvement in that it could be assigned and managed for a more geographically diverse organization by a Human Resource professional. But this type of training also became more automated and less personal. 

Additional drawbacks were that it became more of a procedural requirement and lost the focus on skills transfer and its central purpose of educating a workforce. Yes, it initially reduced the costs of in-person training and it seemed to be easier to report and manage. But the core focus of whether it was working and creating a true return on the investment was ignored due to the perceived gains. 

Cybersecurity awareness training evolved out of this new push of assigned computer training based on compliance requirements. This training is often scheduled upon hire and annually renewed to meet basic security regulations. Very few organizations have monthly or biweekly cybersecurity training to help consistently educate employees on the constantly changing attacks and dangers. But that is what needs to happen. 

Cyber Insurance Trends

According to GlobeNewswire, the cyber insurance market is predicted to grow at 26% CAGR in the next 10 years. This means it will grow from a $5.5 million industry to an over $70.6 million industry. All companies both large and small, public and private either have cyber insurance or are looking at cyber insurance. This is important to understand because a majority, if not 100%, of these cybersecurity insurance policies require the cybersecurity education of employees as a key factor in holding and maintaining the policy. 

Cybersecurity awareness training for employees is equivalent to a homeowner insurance policy requiring working fire alarms in a residential home. Insurance companies know that 90% of cyber breaches can be traced to human error. So, they require cybersecurity training. Because employee education is a key factor in holding insurance policies, it's becoming more and more important for senior executive teams to understand and show their ability to address this need. 

Who Is in Charge?

There are two areas of an organization that are generally responsible for cybersecurity education — either the technology department or the human resource department. Every organization is different. But generally, both groups often feel inadequate in managing this type of training. 

IT departments don’t like being responsible for training. They feel it is a side area of their core function and often the only area of training they are over. On the flip side, human resource departments are often staffed with less technical employees. They have strong people and communication skills, but they often lack deep technical and computer knowledge. Having human resource staff manage cybersecurity training is often difficult because they have a steeper learning curve and don’t want to be the hands-on manager of curriculum and campaigns they have little or no background in. 

‘Forced Navigation’ Is Not a Selling Point

Anyone who has talked to cybersecurity platform salespeople will have heard the term ‘Forced Navigation’ used as a selling point. It is not what it seems. This term is pitched as a positive feature because it means the employee has to stay in front of the training and click a forward button or otherwise engage with the presented information. It is used to keep the employee from starting the training and then ignoring it by leaving the workstation, talking to a coworker, getting a snack, or going to the restroom. Forced navigation is put in place to make sure the often stale and static content is seen. But forced navigation doesn’t address the real underlying issue. 

The real issue is training is generally so boring, overwhelming, or otherwise awful that employees dread it and consistently complain about it. Why is merely “seeing” the training enough when that doesn’t result in engagement, growth, real understanding, or retention of information? How is this an asset or a worthwhile investment of time and capital? With forced navigation, “forcing” the information on the employee is the goal. The real goal of any training is behavior change and skills growth — not forced navigation and merely seeing the content. 

Training that creates positive engagement naturally results in behavior change and an improvement in skills — without force. For over one hundred years, researchers have known how to do this, but the training industry didn’t use this knowledge in the design or delivery of training because it was built on the simple goal of checkbox compliance. 

Modern Training for Modern Workforce

The pandemic has revealed what the future can hold — a more remote workforce, greater exposure to breaches, and increased phishing and ransomware attacks. For a large portion of the year, offices were empty. Employees were working from home offices, garages, family rooms, and closets. But even with people returning to shared office spaces, workforces are still mobile — with laptops, personal devices, and smartphones often connected to work networks or carrying sensitive data. This mobility will only increase as workforce demographics continue shifting to include growing numbers of millennials and Generation Z. 

Today’s workforce has changed. More than ever, training needs to be created for a mobile workforce and technology engaged users who will find sitting and clicking on information screens a boring waste of time. 

Picking the Right Training

Skip the forced navigation. The right cybersecurity training will create positive behavior change, skills growth, increased confidence, and will reinforce good habits into employees that result in more secure environments. Forced navigation won’t create this.

Look for training that includes rewards for engagement, encourages working as a team and in groups, and provides individual recognition so that employees feel like a person instead of a number. ‘More carrot, less stick’ naturally increases willing engagement in training. But above all, the platform should embrace a model of continuing education, not a once-a-year training that is insufficient for keeping pace with skills development and the changes in an evolving mobile workplace. 

Traditional training and those built around long meetings, information-rich sessions, or forced navigation don’t create change because of the way the human mind works. For around 150 years, researchers have known that attention drops off sharply after 20 minutes and that we can only retain around seven pieces of information at a time. An hour after training, more than 50% of the material taught has already been forgotten. But, training done in small blocks utilizing the science of memory and the human mind’s neurochemistry results in closer to a 90% retention rate. 

All Work and No Play…?

Work may be a serious thing, but training doesn’t need to be. In fact, the old proverb “all work and no play makes Jack a dull boy” is true. Without play, employees become bored and dull. Play not only increases retention of employees, it also increases retention in employees — which improves productivity, performance, and when applied to cybersecurity awareness: security.

The best training feels like play because the human mind learns best when playing. During play, the mind releases a series of neurochemicals triggers that increase retention and can literally make learning addictive. These neurochemicals are often leveraged by game designers and marketers to keep consumers coming back for more. Applying this to internal training programs invigorates not only memory but also the desire to be trained and to improve skills. It turns training into an activity that is looked forward to instead of dreaded and avoided. 

Combining gamification and microlearning leverages the science of learning and memory with the neurochemical clues of play to create strong recall, behavioral change, and skills growth. It is training that builds and strengthens neural pathways creating behavioral change. The result is not only more efficient and confident employees but also better teams and more secure organizations.

Conclusion

Creating real behavior change in cybersecurity is a critical core concern for all organizations. Whether it is the need to satisfy requirements of regulations like Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), or insurance requirements, training is more than compliance. Training is a real understanding that applies new learning to creating improved behaviors. People can be the weakest link or the greatest strength to keeping an organization secure. The training they have access to is key to their ability to protect and grow the company or expose it to risk.

Real training improves peoples, processes, and organizations — anything else is just a waste of money and time. Money, time, and people are essential to the success of an organization. Don’t waste any of them. 

Here’s a quick checklist for the next time you’re in the market for Cybersecurity awareness:

Quick Checklist for Better Cybersecurity Awareness Training

Heather Stratford is the Founder and CEO of Stronger International Inc. Heather, and her team, have created custom programs for multinational companies designed to create more behavior change. Heather is a thought leader in the cybersecurity field, speaks nationally, writes on cyber topics and was named a national Tory Burch fellow in 2019. Visit https://stronger.tech Follow Heather Stratford Connect Heather Stratford