Did you know that you can change the way you communicate and engage people in security training programs?
When it comes to cybersecurity awareness and training, we often find ourselves on the brink of indifference and disengagement regarding the ways in which security training and communication are designed and delivered.
Based on research we conducted on over 300,000 users —analyzing typical communication tools—we recorded CTR and engagement metrics that, on average, do not exceed 5%; in other words, more than 9 out of 10 people know literally nothing about what is being communicated to them. In fact, more than half of all emails are completely ignored—meaning not only is there no interaction whatsoever, but they are neither opened nor read. Finally, we found that the larger the number of recipients of a communication (direct email, email), the higher the percentage of those who ignore it.
These findings are also confirmed by a recent Gartner study, which highlights that although 90% of companies implement cybersecurity awareness programs, 69% of employees completely bypass them.
“Security awareness programs are failing at behavior management. Over 90% of cybersecurity functions have an awareness program, yet 69% of employees admit to intentionally bypassing their enterprise’s cybersecurity guidance.”
(Gartner - Security Awareness Efforts Fall Short! Now What? (Survey Results Analysis – Feb 2023))
Faced, therefore, with the risk that cybersecurity awareness programs will fail if they are proposed and communicated through more traditional channels, cybersecurity governance today must adopt a different approach: reaching each individual in a personalized way, with the methods and timing of engagement becoming two key factors—so that, if appropriately tailored and well-executed, they ensure that communications—and subsequently training—are truly effective. Furthermore, according to Gartner, a new paradigm for training is needed, specifically regarding “how” it is carried out: creating a cybersecurity engagement program requires new capabilities and levers that go beyond the common (and ineffective) tactics of training or awareness alone. These emerging capabilities include behavioral science, automation, data integration, the orchestration of tools and platforms, and personalized engagement.
Do you have any suggestions on how to start putting these ideas into practice today?
There are three areas you can focus on to begin improving the impact and effectiveness of cybersecurity training and communication:
1. Deliverability: Messages must not go unnoticed; on the contrary, they must capture attention in a lighthearted, entertaining, and personalized way, reaching every employee: no one should be left out or on the sidelines when it comes to internal corporate communication;
2. Engagement: Cybersecurity can “become cool,” surprise and engage people—perhaps by striking at the right moment, in the right place—and by fostering a two-way relationship, rather than a one-way training dynamic that is perceived as boring and disconnected from people’s daily lives;
3. Measurement: It is no longer just a matter of individual CTR, but rather of setting and evaluating goals to coordinate channels, tools, and timing within a broader context, where it is then possible to understand the actual impact of a message and decide how to generate positive spillover effects.
To put it simply, cybersecurity today is a challenge that calls for new leadership in the role of the CISO—especially in terms of how to scale up and transform something that is still linear into something exponential: namely, reaching and engaging all employees with the information they need most, in a personalized way, and then measuring the effectiveness of these efforts while guiding them through new, experiential training programs that are integrated “into the flow of work.”
Okay, but in practical terms, how can we do that?
So whatcould be a solution for bringing all these aspects together and implementing an effective strategy for raising awareness, engagement providing effective training on cybersecurity?
Thanks to an in-depth analysis, monitoring, and examination of people’s most common habits and behaviors related to this specific need, we have designed and developed a viable and interesting solution: a phygital platform (SaaS and white-label) that allows you to operate with complete autonomy—in terms of content creation and style — to reach every one of your target audiences“outside the box”(literally not just outside conventional frameworks but also beyond email inboxes or any other repository) with contextual and personalized messages that not only capture attention but also encourage (through nudge technology) users to take actions and engage in activities, creating a circular and comprehensive engagement loop.
For example, do you want to encourage the use of OneDrive instead of other tools for sending files online? It would be great if a message appeared on your employees’ screens to help and guide them toward using OneDrive just as they’re about to use another method.
It’s not fantasy or a parallel universe—it’s much simpler, more accessible, and more sustainable: with hi platform, communications and information about cybersecurity reach people directly (without requiring any extra clicks or actions) at the most opportune moment, and with an adoption rate (since you don’t have to open anything) and response rate to calls to action that stands at well over 50% (10 times the usual rate!).
“I like it when innovation is social—not in the most common sense of the term, but in the sense of social impact (that is, relational impact) that brings about positive change in people’s (work) lives. For CISOs, by finally making the reach of their security efforts exponential; for users, by empowering them to take that extra step toward knowledge and participation in a world of wonderful things and a safer company.” – Francesco Pozzobon, Chief Sales & Marketing @Digital Attitude
Some background information on “training”: the only way to defend against the most common attacks
2023 will be a year of significant growth for the cybersecurity market. In fact, according to CLUSIT data, the market grew by 18% over the past year, at a rate never before seen.
This is certainly due to greater awareness of the issue within large organizations, but also to the rise in increasingly severe cyberattacks, the number of which continues to grow exponentially: according to research by the Cybersecurity & Data Protection Observatory at the Politecnico di Milano, over the past year, 67% of large Italian companies have detected cybersecurity attacks, and 14% ofthem experienced significant consequences for their business.
So, what should be done? According to CLUSIT, there are three key areas on which every company should base its roadmap:
- Cybersecurity Oversight: that is, the establishment of security governance within the company through the role of the CISO;
- Roles supporting the CISO: Specialists dedicated to overseeing cybersecurity are also needed, ranging from cyber risk managers and data protection managers to security analysts and security developers;
- New and different cybersecurity training: There is an increasing need for awareness-raising initiatives and appropriate training for employees.
Among these points, the most important one is undoubtedly the implementation of training initiatives dedicated to educating employees on cybersecurity. In fact, CLUSIT’s research shows that cyberattacks with tangible consequences were carried out using social engineering techniques, which specifically target people’s psychology and susceptibility to persuasion. This is why it is essential to provide employees with targeted, direct, and practical cybersecuritytraining that addresses the weakest link: human behavior.
“Training is now an indispensable element of a sound cybersecurity strategy. However, the effectiveness of training depends on the ability to focus on the direct and concrete impacts that each employee—regardless of their specific role within the company—may experience in their daily work.”
(Cybersecurity & Data Protection Observatory at the Politecnico di Milano – February 2023)
However, to reap the full benefits , training in this field must be effective and focused on individuals’ daily activities: from passwords to online file sharing. Since it is precisely the human factor that the most common attack techniques exploit, employees must be prepared and trained to respond to such threats on a day-to-day basis.
.svg)
.png)