Cyber Security Training: Do Your Part, #BeCyberSmart and put Gamification at the Heart
The theme of this year’s Cybersecurity Awareness Month has been: ‘Do Your Part. #BeCyberSmart’, the message being that when everyone does their part, the connected world is safer for all.
The importance of the individual in cyber security is something we’ve long championed. Jinan Budge, a principal analyst at Forrester who has spent 20 years working in the cyber security field, outlined why it’s so important on 3radical Webinar ‘How to Harden Your Human Firewall’.
Citing Forrester’s ‘Notifiable Data Breach Report’, she explained that 33 percent of cyber attacks relate to human error and that the majority of the rest are related to compromised credentials, the result of human factors such as phishing and brute-force attacks.
Human error is not just costing organisations, but individuals too, emphasised Jinan. High profile examples include the chairman of RBS, who sent selfies during a board meeting to his daughter, who then uploaded them on Instagram and caused quite the media storm. Three weeks later, he’d exited the bank.
Yet despite the seriousness of the subject, security awareness programs rarely achieve the desired results. According to ‘The Business Case for Security Awareness and Training’ report, just 26 percent of workers say they know what to do in the event of a breach and only 39 percent say they’re aware of their companies’ security policy. Seven percent even admitted to going around their organisation’s security policies.
One of the biggest issues, as Jinan sees it, is that businesses continue to see security as a roadblock. The scale of that problem was illustrated by Forbes coverage which revealed that only 52 percent of Chief Information Security Officers (CISOs) feel the executive team values the security team (18 percent think board members are indifferent or even find the security team an inconvenience)! That’s scary. There’s clearly a big challenge to be overcome.
“If there is one thing that I would love you to take away is you need to go beyond awareness. We need to focus on changing behavior and building and embedding a security culture… there are great examples of gamification bringing people together and using behavioural science and psychology to achieve just that,” said Jinan.
Standard Chartered Bank is one such example. Ellie Warner, Global Head of Cyber Training, Awareness and Exercises at the bank said on the webinar that, “The biggest challenge we faced, as I imagine is the case for most companies, is how to get senior executive management’s time, attention and buy-in.”
“If we go in with gobbledygook and jargon, it’s no wonder executives see a technical challenge rather than a business challenge. We have to show we’re there to help them do their job safely and securely.”
Standard Chartered Bank’s security awareness team knew it needed to make cyber security relevant to a wide audience.
“We had discussions with 3radical, our flagship platform and discussed how to cut through the noise and reach a lot of people,” says Ellie.
3radical’s Voco Software-as-a-Service (SaaS) platform enables organizations to provide centralised access to a range of different training exercises, delivered through gamification.
“We come from a marketing heritage and therefore have an engine under the bonnet that allows us to serve up this content in a much more engaging and timely fashion,” says Will Stuart-Jones, Head of Consulting (UK) at 3radical. “Employees rarely get rewarded for their engagement, so what we’ve effectively done is turned learning journeys into loyalty journeys”.
This requires building a persona based learning journey, and clearly understanding and acting on “what’s in it for the individual,” to establish emotional commitments to security.
Standard Chartered Bank’s security awareness team maps content and types of rewards to groups and individuals and tracks engagement accordingly. Rather than static training material, it uses the 3radical platform to deliver bite-sized challenges that include interactivity points, badges and leaderboards to increase consumption and retention.
“We always offer a value exchange for engagements; that’s what makes us different,” says Will. “It can be intrinsically making the learning more fun by using game mechanics, but it can be about allowing employees to earn different types of rewards. So maybe symbiotic rewards, like badges or points, which they can redeem for real world rewards when they engage or exhibit positive behaviors.”
“The opportunity to kind of serve up those real-time challenges for us is hugely valuable. One of the biggest advantages that we’ve discussed with the 3radical team is the real-time aspect. We witnessed WannaCry a couple of years ago; in such high profile cases we want to be able to spin up relevant ransomware challenges and have them ready the next morning for when people come in.”
For individuals to do their part, organisations need to be #CyberSmart and really work to instill cyber awareness. The traditional approaches to engaging employees and taking them on a transformative journey all too often fail to work and in security that can be disastrous. Traditional approaches tend to be one-off and not be very interesting or engaging.
Employees need to be taken on a journey in an engaging and relevant way. They need bite-size chunks, reinforced by regular communication and supported by the people around them. Gamification, done in the right way, can do just that!