When an annual security training email hits their inbox, many employees tend to either ignore it or search for shortcuts to breeze through the final test. They just want to check it off their list. But what if you could show them that these trainings are crucial and more than just another boresome task? It’s time to get creative and transform mundane training into an engaging and enjoyable experience!
Timing is important
First of all, security training shouldn’t feel like a punishment or a burden to your employees. To achieve this, avoid scheduling them during peak workload periods and give employees ample time to complete the training. Adopt a supportive approach, motivating your team by demonstrating that even top management participates and values these trainings. Highlight that everyone, including leadership, is committed to continuous education and improvement.
How to improve the cyber awareness of your employees?
- Repeat security training regularly
- Motivate your employees—encourage instead of punishing
- Encourage your employees to learn and to stay aware
- Test them unexpectedly
Get more tips in our article on building cyber-aware culture.
Make sure everyone understands the basic principles right after joining your company as well. “Employees also need to know to whom they should report suspicious activity; how to use software or cloud services; what to do in case they see suspicious individuals within office premises; and how to use security technology, such as a password manager,” says Daniel Chromek, Chief Information Security Officer at ESET. If you have a company email address for incident reporting, make sure it is placed in visible spots around your office.
Explain why regular training is a great preventive measure
After you determined the best timing, you need to persuade your employees that regular education about digital threats is important. Explain to them that digital threats are always evolving, and they can stay safe only by continuously learning about them. Ideally, your employees should stay vigilant throughout their day-to-day routine—when sending e-mails, handling data, or using apps. Because even apps and websites your employees use daily might pose a digital security risk.
Social Engineering
Social engineering such as phishing remains one of the most prevalent attack vectors. According to the 2023 PurpleSec Cyber Security Trends Report a staggering 98% of cyberattacks involve some form of social engineering. The appeal lies in its ability to exploit the weakest link in any security system: people. Rather than relying on technical prowess to breach systems, attackers employ psychological manipulation to gain trust and access sensitive information. Therefore, regular training sessions on social engineering tactics, simulated attacks, and clear policies are crucial for any organisation.
Learn more about social engineering.
Emphasise that prevention is the best protection for your systems and taking regular digital security training is part of what you can and should be doing. Even regulations such as NIS2 and frameworks such as NIST emphasise its importance. Not to mention, preventive measures can save your organisation a significant amount of money. According to IBM, the average cost of a data breach in 2023 was $4.45 million, which is 15% more than three years ago.
However, educating your colleagues once or twice a year in half-day training might prove futile. Such trainings are easily forgotten because the knowledge is never refreshed and put to use. Consider combining classic security training with some smaller but more frequent activities. “It makes more sense to divide the information you need to convey into smaller chunks that employees can absorb. For example, use 10-minute videos focusing on just one key thing, or summarising the four major changes resulting from the new policies. You can then distribute such simplified examples regularly to remind employees that it is important to monitor security issues,” says Daniel.
Have some fun
There are many creative ways to make your training more engaging. You can turn usual boring slides into a comic story, or a game where the player is rewarded in the end. You can transform the training session into a fun team activity, maybe organise a knowledge quiz and make your employees compete among themselves for some small prizes. Or you can prepare some real-life scenarios to test the employees’ knowledge in practice. Here are some ideas to get you started:
QR CODE SCENARIO
Place Christmas party QR codes into places that can be potentially accessed by an attacker outside of your company—such as elevators or entrance doors. Make them look as authentic as possible and include some catchy text; for instance, say that those who scan the code may receive a gift at the Christmas party. Such QR codes should lead to a page that you created informing the employees that scanning random QR codes might take them to potentially dangerous websites, especially if said codes are placed in public spaces.
IMPERSONATION SCENARIO
For this scenario, you may need to get a little more creative and technical. Find a way to impersonate a high-ranking person in your company (with their permission, of course) either through deepfake or by using a voice clone. Then message their subordinates and give them some detailed instructions (for example to send a sum of money to a specified account—which you will, of course, return once the experiment is finished). Later, let them know that it was you, and point out how easy it was to deceive them and highlight the growing sophistication of methods like deepfakes and voice cloning.
INTRUDER SCENARIO
For this last scenario, you will need external help (maybe your partner, friend, or sibling, someone people in your company do not know). Place this person outside the company premises and instruct them to kindly ask a passerby to let them into the building, claiming they forgot their entry card or chip at home. The intruder can get out the same way and test several employees in this way before you explain the situation in an email. Of course, you shouldn’t expose the specific individuals who failed the test, but you can provide numbers that show how much time it took for the intruder to get in or how many people questioned his intentions instead of simply letting him pass. Educate your employees that such intruders could gain physical access to your company laptops and other devices, and easily steal data or insert viruses or tracking software into your network.
Creative awareness
In the end, your colleagues should leave the trainings feeling educated and more confident in facing the challenges of digital security rather than bored or frustrated. Creativity and innovation should go hand in hand with informing employees that only via regular updates will they and their company stay ahead of the game.