Feb 27 2020

RSA 2020: How to Improve Employee Cybersecurity Compliance

Worker training is often ineffective, so Microsoft redesigned its program.

American businesses excel at many things; managing employee training programs designed to improve compliance with cybersecurity protocols isn’t one of them. Consider the following scenario outlined by Ken Sexsmith, director of security education, awareness and training at Microsoft, at RSA 2020 in San Francisco.

An employee begins a training session but is quickly and repeatedly interrupted — by a colleague, a customer or even a personal matter — even as the training modules continue. Soon the session is over, and it’s easy enough to simply certify that the training was completed even though the employee doesn’t know much he or she didn’t know before.

“That’s compliance training,” Sexsmith said. No wonder companies continue to struggle with actual employee compliance with security policies, training notwithstanding.

Humans Are Not Well Equipped for Security Compliance

Even evolutionary science is working against companies trying to get better cooperation from employees, according to Gabriel Whalen, a principal field solution architect with CDW. Whalen, who has military counterintelligence experience and a background in psychology, told attendees that humans are generally bad at considering “second- and third-order threats to self-preservation,” which is how cybersecurity threats tend to register with most people.

To respond to these challenges, Sexsmith said, businesses must take it upon themselves to devise training programs that engage and motivate employees, help them retain the information they have learned and encourage them to act in ways that protect the company.

“We have to get people interested in and motivated to do things differently,” he said. “And that’s what we’re doing at Microsoft. We’ve kind of changed the game when it comes to employee training.”

MORE FROM BIZTECH AT RSA: An executive warns that voice fraud could be the next frontier for scam artists.

Five Elements of a Good Security Compliance Program

Sexsmith said every business should consider the following things when it comes to employee training:

  • The program itself: Businesses should align specific training activities with their particular goals, paying special attention to areas of deficiency and the maturity of employees with respect to security awareness.  
  • Motivation: Security is boring — or so employees think. But does it have to be? Microsoft strives to make training engaging and fun, devising gamification strategies to help workers learn and developing a series of tongue-in-cheek videos in which a goofy actor visits with the company’s CISO and other members of its security team to get tips on topics like avoiding phishing.
  • Retention: Sexsmith said that various studies have shown people tend to be pretty bad at remembering newly learned information. “We forget 50 percent of what we learn within an hour, and another 20 percent by the next day,” he said. “By lunchtime, you’ll forget half of what I say up here, and tomorrow you may not even remember you were in this session.” To combat that, Microsoft uses a third-party “AI-driven training reinforcement platform,” he said, which takes employees through a series follow-up questions related to a recent training module.
  • Application: Many companies run phishing simulations; Microsoft runs simulations that are actually challenging, sending emails that look better than the typical phishing email and building fake websites that look real. There are clues, including grammatical errors in emails and links with URLs that Microsoft would never use. Still, the clues are subtle, as real phishers are getting better at avoiding the telltale signs that characterized their messages a few years ago.
  • Resources: Microsoft has created an online security playbook that all workers have easy access to. It includes the company’s security policies and guidance on how to stay safe. The company also makes it easy for workers to report suspicious messages with just the push of a button on their screens.

Whalen noted that well-devised compliance programs aren’t just top-down and punitive. Instead, they welcome input and tend to be forgiving of violators who self-report. “When people feel like they have some ownership of the program, and they’re not just a serf or a subordinate, they’re more likely to follow the program,” he said.

Keep this page bookmarked for articles and videos from RSA 2020, and join the conversation on Twitter @BizTechMagazine.

M_a_y_a/Getty Images