{"id":15411,"date":"2019-05-28T08:10:02","date_gmt":"2019-05-28T16:10:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/05\/28\/news-9160\/"},"modified":"2019-05-28T08:10:02","modified_gmt":"2019-05-28T16:10:02","slug":"news-9160","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/05\/28\/news-9160\/","title":{"rendered":"Employee education strategies that work to change behavior"},"content":{"rendered":"<p><strong>Credit to Author: Kacy Zurkus| Date: Tue, 28 May 2019 15:25:52 +0000<\/strong><\/p>\n<p>When people make the decision to get in shape, they have to commit the time and energy to do so. Going to the gym once isn\u2019t going to cut it. The same is true when it comes to changing the <a href=\"https:\/\/blog.malwarebytes.com\/101\/2017\/10\/how-to-create-intentional-culture-of-security\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"culture of an organization (opens in a new tab)\">culture of an organization<\/a>. In order to be effective in changing employee behavior, training needs to be on-going and relevant. <\/p>\n<p>Technology is rapidly evolving. Increasingly, new solutions are able to better defend the enterprise against malicious actors from the inside and out, but tools alone cannot protect against cyberattacks. <\/p>\n<p>Verizon\u2019s <em>2019 Data Breach Investigations Report (DBIR) <\/em>found that:<\/p>\n<blockquote class=\"wp-block-quote\">\n<p>While hacking and malicious code may be the words that resonate most with people when the term \u201cdata breach\u201d is used, there are other threat action categories that have been around much longer and are still ubiquitous. Social engineering, along with misuse, error, and physical, do not rely on the existence of cyberstuff.  <\/p>\n<\/blockquote>\n<p>In short, people matter. Employee education matters.  <\/p>\n<p>Taking a technological approach to securing the enterprise has started to unravel over the last decade, according to Lance Spitzner, director, research and community at SANS Institute. \u201cThe challenge we are facing is that we have always perceived cybersecurity as a technical problem. Bad guys are using technology to attack technology, so let\u2019s focus on using technology to secure technology,\u201d Spitzner said.<\/p>\n<p>Increasingly, organizations have come to understand that we have to address the human problem also. The findings from this year\u2019s DBIR are evidence that human behavior is a problem for enterprise security. According to the report:<\/p>\n<ul>\n<li>33 percent of data breaches included social attacks <\/li>\n<li>21 percent resulted from errors in casual events <\/li>\n<li>15 percent of breaches were caused because of misuse by authorized users<\/li>\n<li>32 percent of breaches involved phishing<\/li>\n<li>29 percent of breaches involved the use of stolen credentials<\/li>\n<\/ul>\n<h3>Calling all stakeholders<br \/><\/h3>\n<p>Some organizations are still implementing the antiquated annual computer-based-training and wondering why their security awareness program isn\u2019t working. Despite the security team\u2019s understanding that they must do more, creating an effective employee education program takes buy-in from a variety of different stakeholders, said Perry Carpenter, chief evangelist and strategy officer of KnowBe4 and author of <em>Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors<\/em>.<\/p>\n<p>\u201cIf they are stuck in the once a year, they have to find a way to justify moving past that, so there is some selling they have to do to their executive team in order to get support for more frequent communications and more budget. It\u2019s essentially the higher touch that they have to sell,\u201d Carpenter said.<\/p>\n<p>Even those organizations that don\u2019t have the budget to use an outside vendor can find ways to create compelling content, which means that security teams are tasked with the burden of having to justify the need for more employee engagement.<\/p>\n<p>One way to sell that need, according to Carpenter, is to leverage the psychological effect known as the decay of knowledge. \u201cWe go to something and two days later, we forget most of the content. The further away we get from it, the more irrelevant, disconnected, and invisible it becomes.\u201d<\/p>\n<p>Evidence shows that a greater frequency of security education is the first step toward creating a more engaging awareness program. \u201cIn all things that you do, you are either building strength or allowing atrophy,\u201d Carpenter said. <\/p>\n<p>Once you have the buy-in to be able to really grow the company\u2019s security awareness program, you need to figure out how to connect with people. That\u2019s why Carpenter is a fan of a marketing approach that uses several channels.<\/p>\n<p>Given that some people learn best visually while others prefer in-person instruction, identifying which content forms are most engaging to different employees will inform the types of training needed for the program to succeed. <\/p>\n<h3>No more death by PowerPoint<\/h3>\n<p>The old computer-based training programs developed by auditors have done little to defend the enterprise against sophisticated phishing attacks. If you want people to care about security, you need to build a bridge between technology and people. <\/p>\n<p>Sometimes, those who are highly technically skilled aren\u2019t adept at communicating with people. \u201cTraditionally, some of the biggest blockers to awareness programs were security people who believed if the content wasn\u2019t technical that it wasn\u2019t security,\u201d Spitzner said.<\/p>\n<p>Now, security professionals are starting to realize that employees respond differently to a variety of attack vectors, which is why Omer Taran, co-founder and CTO at <a href=\"https:\/\/cybeready.com\/\">CyberReady<\/a> said that collecting and analyzing performance data in real time is crucial to building a better awareness education program.<\/p>\n<p>\u201cSpecially designed \u2018treatment plans\u2019 should include an adjusted frequency, timely reminders, custom simulations, and training content that helps to reform this particularly susceptible group,\u201d Taran said.<\/p>\n<h3>Empowering employees<\/h3>\n<p>In order for companies to stay a step ahead of cybercriminals, their employee education programs need to be engaging. That\u2019s why building a security-aware culture is one of the most important steps the organization can take.<\/p>\n<p>\u201cProcesses and policies are fine, but if you\u2019re not winning hearts and minds and gaining buy-in from employees, it\u2019s probably a non-starter. The bad guys don\u2019t care how well-written your policies are, or even if you have any,\u201d said Lisa Plaggemier, chief evangelist at <a href=\"https:\/\/www.infosecinstitute.com\/\">Infosec<\/a>. <\/p>\n<p>It\u2019s also important not to play the blame game. Rather, Plaggemier said, \u201cempower employees with awareness campaigns and good quality training, delivered through a program that influences behavior.\u201d<\/p>\n<p>To make cybercrime and fraud protection key parts of your company culture, Plaggemier recommended that leaders and managers consider these tips:<\/p>\n<ul>\n<li><strong>Be an example.<\/strong> Leaders have the ability to shift attitudes, beliefs, and ultimately, employee behavior. If leaders are taking security shortcuts that put the company at risk, employees will not believe the company is serious about doing everything it can to keep a secure workplace.<\/li>\n<\/ul>\n<ul>\n<li><strong> Be clear.<\/strong> Where confusion can create a culture of reactive rather than proactive behaviors, clarity helps prioritize the work. Make it clear that protecting the business is a top priority by creating written policies and having clear processes and procedures in place.  <\/li>\n<\/ul>\n<ul>\n<li><strong>Be repetitive<\/strong>. Repetition is key for instilling good security habits in your employees. Human beings create new habits over time by repeating their actions. Encourage employees to make those out-of-the-ordinary tasks, such as calling a vendor to confirm it\u2019s really him asking you to change his &#8220;pay to&#8221; account, become routine.<\/li>\n<\/ul>\n<ul>\n<li><strong>Be positive<\/strong>. Fear, uncertainty, and doubt are not good motivators. Instead, use language that empowers your employees. Make people feel like they matter in the information you share with them so that they can be better, smarter, and more confident in their choices when faced with something potentially malicious.<\/li>\n<\/ul>\n<p><\/p>\n<h2><\/h2>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/101\/how-tos\/2019\/05\/employee-education-strategies-that-work-to-change-behavior\/\">Employee education strategies that work to change behavior<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/101\/how-tos\/2019\/05\/employee-education-strategies-that-work-to-change-behavior\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Kacy Zurkus| Date: Tue, 28 May 2019 15:25:52 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/101\/how-tos\/2019\/05\/employee-education-strategies-that-work-to-change-behavior\/' title='Employee education strategies that work to change behavior'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2019\/05\/shutterstock_380394427.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>Using technology alone to combat cyberattacks is not enough. That&#8217;s why employee education on security awareness should be an integral part of any company&#8217;s cybersecurity policy.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/101\/how-tos\/\" rel=\"category tag\">How-tos<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/culture-of-security\/\" rel=\"tag\">culture of security<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/cybersecurity\/\" rel=\"tag\">cybersecurity<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/cybersecurity-awareness\/\" rel=\"tag\">cybersecurity awareness<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/cybersecurity-policy\/\" rel=\"tag\">cybersecurity policy<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/employee-education\/\" rel=\"tag\">employee education<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/employee-training\/\" rel=\"tag\">employee training<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/security-training\/\" rel=\"tag\">security training<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/101\/how-tos\/2019\/05\/employee-education-strategies-that-work-to-change-behavior\/' title='Employee education strategies that work to change behavior'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/101\/how-tos\/2019\/05\/employee-education-strategies-that-work-to-change-behavior\/\">Employee education strategies that work to change behavior<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[16022,4500,12081,14715,21887,20152,11171,17550],"class_list":["post-15411","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-culture-of-security","tag-cybersecurity","tag-cybersecurity-awareness","tag-cybersecurity-policy","tag-employee-education","tag-employee-training","tag-how-tos","tag-security-training"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15411","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15411"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15411\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15411"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15411"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15411"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}