Many organizations offer cybersecurity training, but don’t see reduced cybersecurity risk. Influence techniques help change employee behavior and awareness.
Organizations around the world are taking significant measures to improve both cybersecurity and risk management. Establishing strategies, delegating responsibilities, and training employees about cybersecurity are all important practices that CEOs are choosing to implement across their organizations. Despite these changes and improved company-wide training, studies continue to show how at least 91% of cyber attacks start with phishing schemes.
So, why is nothing changing? Cybersecurity training does not always lead to cybersecurity awareness if employees are only asked to learn information, rather than change their behaviors. While training is essential, experts recognize that improved cybersecurity awareness and risk management come not only from training but also influence techniques.
Marcel Manning, a Leesburg computer support specialist with NexgenTec shares insights to improving security best practices.
What are Influence Techniques?
Influence techniques, as described by the SANS Institute are essentially the same methods cybercriminals use to create social engineering and phishing schemes. Instead of simply using lectures and verbal persuasion to share information and implement change within your organization, training employees in cybersecurity awareness and changing their behavior requires understanding what motivates them.
In a SANS Institute study, researchers found that even organizations with well-funded cybersecurity programs experienced attacks involving phishing, SQL injection, and weak passwords. Even though employees were being trained, they weren’t changing their behavior with regard to security.
Influence techniques aim to help change individuals’ unconscious and conscious decisions. Conscious decisions are based on three things: unconscious thoughts, perceived ability to accomplish a given task, and the perceived value of accomplishing that task.
Unconscious decisions, on the other hand, are impacted by a person’s internal and external motivators. What influences employees in your organization to change their behavior and awareness of cybersecurity threats? Most individuals require a personal connection to the task to fully engage and implement new behaviors. Here are several ways to implement influence techniques in your cybersecurity training in order to improve company-wide cybersecurity awareness.
Break Challenging Goals into Small Tasks
When teaching new practices or processes, many employees are hampered by their lack of ability—or perceived lack of ability. The sense of being overwhelmed will prevent them from taking action on even the simplest of changes.
Instead of offering overarching goals, help employees feel capable by breaking goals into smaller, achievable tasks. Rather than telling your team to be cautious about using devices on unsecured networks, create an actionable plan that achieves the goal of better cybersecurity practices. Show them how to install and use a VPN, and then guide them through the simple steps to take when using devices outside of work.
Encourage Participation and Ownership
Cybersecurity training often involves lecturing and, in some cases, tests that only measure immediate knowledge. With cybersecurity awareness, the goal is to help your team take ownership of cybersecurity best practices. When they feel a sense of ownership and participation, they are more likely to change their behaviors.
How do you encourage ownership? Instead of telling them to avoid phishing emails, ask them to help you develop a process by which they systematically identify all the elements that might indicate a phishing email. By allowing them to establish a system that makes the most sense in their day-to-day work, they are more likely to implement the plan that they helped create.
By asking your employees to take ownership of cybersecurity measures, you are also inviting them to be part of the company’s overall security journey. In order to provide continued motivation and encouragement with regard to cybersecurity awareness, share measurable security metrics with your team. For example, highlight how many phishing emails were identified and avoided (if possible) or a reduction in virus detection that has occurred since new protocols were put in place. Celebrate progress as a company and your team will be motivated to continue these best practices.
Implement Ongoing Cybersecurity Awareness
Security awareness is not a one-time training technique. Instead, it is an ongoing process that can become part of your risk management plan. By inviting your team on the journey of cybersecurity management, and providing both unconscious and conscious ownership of the process, your organization is well on its way to making great strides toward effective risk management.
Interesting related article: “What is Cybersecurity?“