Stop using your employees as scapegoats: Change their behavior

Remote workforces pose new challenges for organizations, with the largest issue centered around fortifying the security of at-home workers.

We’ve recently witnessed large companies that were hit with major data breaches and cybersecurity incidents point the finger of blame at the lowest hanging fruit – their employees. While it’s understood that employees have a certain level of accountability when it comes to their role in the organization’s broader security strategy, it’s up to company leadership to arm them with the resources and knowledge to effectively thwart cyber threats.

With 90% of security incidents stemming from human error, a culture strong in security awareness is no longer a nice-to-have, it is a top priority and an absolute must across all organizations, regardless of their size or industry. Businesses who change risky employee behavior methodically and effectively through personalized, timely, and relevant learning will see an improvement to their overall security posture and a reduction in the number of security incidents.

Personalization is key

Cyber threats today have become increasingly sophisticated and more personalized. Therefore, it stands to reason that the training and coaching offered to employees needs to meet the same level of personalization in order to effectively combat these threats and change risky habits and behaviors over time.

Traditional security training, which is typically used to check a compliance box, is hard to digest for the individual user and oftentimes feels irrelevant. Organizations need to provide employees with relevant insights and knowledge that is specific to each user’s habits so that they can help to prevent these types of breaches from occurring. This type of learning is more digestible and effective, allowing users to adopt techniques and adapt habits over time.

By leveraging existing security and IT tools, HR systems, and Active Directory, organizations can gather data about an individual employee’s risk profile, role, and awareness needs for personalized coaching and offer advice at the exact moment of risk, when an individual’s activity may expose vulnerabilities.

Change employee behavior over time with real-time microlearning

As humans, we tend to absorb information we find relevant to us, and disregard information that we consider irrelevant. If an action is not specifically flagged to an individual as risky, it may not be immediately clear that the action they’re engaging in can actually expose their organization’s sensitive information. Providing clear guidance on how to identify and remediate sophisticated cyber threats – ideally in real time as employees engage with risky websites, applications, or links – is a critical component to augmenting risky behaviors and ultimately improving an organization’s overall security posture.

For example, many people are not aware that online shopping is one of the top risky behaviors that cause data breaches. With organizations making their company systems available through the internet to facilitate remote and hybrid work, the actions employees take at home still have the potential to leave their organizations vulnerable to cyberattacks. If they are not cautious, employees can end up disclosing credentials to one of the thousands of fake webpages that exist online today – and, unfortunately, they are no longer protected with the same on-premises systems and support they once had in the office setting.

In fact, nearly half of the world’s most-visited websites leave visitors open to potential dangers. Educating employees on the type of sites that aren’t safe and how to identify potential threats will improve habits and safeguard organizations at scale.

Understand the effectiveness of your program

As organizations start to focus on educating their employees to become more aware of their personal risky behaviors and changing those individual behaviors, it will be critical to measure the effectiveness of this effort. With traditional security awareness training, it is difficult to track users’ progress. While employees typically apply the lessons they learned in the short-term, they gradually forget them as time moves on.

Today, cyber threat strategies are changing by the hour – not the month or year. Organizations need to track and measure the efficacy of their programs regularly to not only identify at-risk employees, but also better to tailor individual employees’ training to attack variants that are relevant to their individual risk profiles and behaviors.

With increasingly sophisticated attacks and an exponentially larger attack field, organizations need to guide and support employees in understanding how to identify and remediate threats now more than ever. Employees should be regarded as allies and the natural first line of defense in any organizational cybersecurity protection strategy.

Providing clear guidance in real-time as employees engage in risky behaviors will arm them with insights that are relevant to them, allowing them to better recognize how their actions can impact their organization’s security posture and slowly change these habits for both their benefit and that of their organization.