Humans Are Not Well Equipped for Security Compliance
Even evolutionary science is working against companies trying to get better cooperation from employees, according to Gabriel Whalen, a principal field solution architect with CDW. Whalen, who has military counterintelligence experience and a background in psychology, told attendees that humans are generally bad at considering “second- and third-order threats to self-preservation,” which is how cybersecurity threats tend to register with most people.
To respond to these challenges, Sexsmith said, businesses must take it upon themselves to devise training programs that engage and motivate employees, help them retain the information they have learned and encourage them to act in ways that protect the company.
“We have to get people interested in and motivated to do things differently,” he said. “And that’s what we’re doing at Microsoft. We’ve kind of changed the game when it comes to employee training.”
Five Elements of a Good Security Compliance Program
Sexsmith said every business should consider the following things when it comes to employee training:
- The program itself: Businesses should align specific training activities with their particular goals, paying special attention to areas of deficiency and the maturity of employees with respect to security awareness.
- Motivation: Security is boring — or so employees think. But does it have to be? Microsoft strives to make training engaging and fun, devising gamification strategies to help workers learn and developing a series of tongue-in-cheek videos in which a goofy actor visits with the company’s CISO and other members of its security team to get tips on topics like avoiding phishing.
- Retention: Sexsmith said that various studies have shown people tend to be pretty bad at remembering newly learned information. “We forget 50 percent of what we learn within an hour, and another 20 percent by the next day,” he said. “By lunchtime, you’ll forget half of what I say up here, and tomorrow you may not even remember you were in this session.” To combat that, Microsoft uses a third-party “AI-driven training reinforcement platform,” he said, which takes employees through a series follow-up questions related to a recent training module.
- Application: Many companies run phishing simulations; Microsoft runs simulations that are actually challenging, sending emails that look better than the typical phishing email and building fake websites that look real. There are clues, including grammatical errors in emails and links with URLs that Microsoft would never use. Still, the clues are subtle, as real phishers are getting better at avoiding the telltale signs that characterized their messages a few years ago.
- Resources: Microsoft has created an online security playbook that all workers have easy access to. It includes the company’s security policies and guidance on how to stay safe. The company also makes it easy for workers to report suspicious messages with just the push of a button on their screens.
Whalen noted that well-devised compliance programs aren’t just top-down and punitive. Instead, they welcome input and tend to be forgiving of violators who self-report. “When people feel like they have some ownership of the program, and they’re not just a serf or a subordinate, they’re more likely to follow the program,” he said.