Employees are fast becoming the weakest link in the defence against cyber criminals. Here’s some useful advice on how to turn this around.
Whether through innocent mistakes or because they were targeted for their access to sensitive information, employee error can easily open the door to malware or information theft. The spread of the WannaCry ransomware that recently debilitated hospitals, businesses and government departments across the globe has amplified awareness of such threats.
Successful attacks often involve poor processes and exploit human tendencies. Therefore, focus on regular employee training needs to shift from reaction to prevention. Companies need to put themselves ahead of emerging threats.
Pure compliance-driven approaches have proven to be ineffective for organisations when used for employee security training, usually because it’s not interesting or personal enough to capture employees’ imaginations.
Businesses should focus on educating employees on how to protect their personal data, therefore encouraging employees to enact further security-orientated practices in the workplace.
Employee training may take different forms, including the increasing practice of gamifying cyber security education programs.
Gamification is the process of using gaming mechanics in a non-gaming context, leveraging what is exciting about games and applying it to other types of activities that may not be so fun. Designed with elements of competition and rewards, gamification programs are becoming popular because they can be used within a variety of industries.
Many businesses currently use gamification in areas such as customer engagement, and employee education and training to drive performance and motivation. Gaming elements include one-on-one competitions, rewards programs and more.
There are two ways business owners can use gamification in order to address cyber security in their organisation:
1. Make training more exciting and engaging for employees
Using gamification can help businesses improve their cyber security in numerous ways, including showing employees how to avoid cyber attacks and learning about vulnerabilities in software.
Global consulting firm, PwC, teaches cyber security through its game, Game of Threats. Executives compete against each other in real-world cyber security situations, playing as either attackers or defenders.
Attackers choose the tactics, methods and skills of attack, while defenders develop defence strategies, needing to choose to invest in the right technologies and talent to respond to the attack.
The game gives executives an understanding of how to prepare and react to threats, how well prepared the company is, and what their cyber security teams face each day.
Gamification will help make the training process more exciting and engaging for employees, increase employee awareness of cyber security practices, including how to deal with attacks correctly.
2. Offer incentives and rewards to encourage desired behaviours
Human error is responsible in most security breaches, with employees feeling pressured to complete work by certain deadlines and as quickly as possible, which can result in them overlooking important company policy regarding security.
For example, running so-called PhishMe campaigns can be a great way to train employees on better email security. These include regular phishing emails sent across the organisation, testing staff’s response and action.
Gamification lets businesses reward those employees who follow security procedures and adhere to the correct security guidelines, which will further promote good behaviour.
This may take the form of employees receiving a badge or recording points, which are then displayed on a scoreboard for the office to follow. In some organisations, after employees reach specific milestones, they are presented with material rewards such as a gift voucher.
This system also allows for the identification of those who display poor behaviour within gamification and may result in the employee needing to complete further cyber security training.
Recognising and rewarding employees when they do the correct thing leads to continued positive behaviour, motivating employees to undertake safe practices and resulting in a more cyber-secure working environment.
Sean Duca is the vice president and regional chief security officer, Asia-Pacific, at Palo Alto Networks.