A succession of recently published reports into how companies approach cyber security and data risk have revealed some worrying contradictions. For example, we are seeing that while most organisations agree that a cyber attack is a very real risk, many don’t even have a dedicated cyber security budget. And, while senior managers in UK companies say cyber security is a high priority in their organisation, the number of top execs who have some responsibility for IT governance policies has yet to reach critical mass.
Most concerningly, even though up to 90% of data breaches reported to the UK Information Commissioner’s Office are caused by human error, and not cyber attacks (its statistics reveal), most organisations still do not provide security-focused training for their workforces. At the same time the UK Government’s recently published FTSE 350 Cyber Governance Health Check 2018 reports that just 46% of businesses have a dedicated budget for cyber security, despite the fact that 96% of them do have a cyber strategy, and 72% believe cyber risks to be ‘high’ or ‘very high’. Additionally, only 16% of survey respondents felt that, to date, their boards had a ‘real understanding’ of the business impact of cyber threats.
Another Government survey, Cyber Security Breaches 2018, found that 43% of organisations had identified breaches in the previous 12 months. Some 75% of the businesses surveyed said cyber security was a ‘high priority’ for senior managers, but only 30% of the firms have responsibility for it at board level.
The same report also revealed that just 20% of businesses have had any of their staff attend cyber security training in the past year. Reasons cited include cost and ‘not seeing the need for training’. Not surprisingly, one of the report’s main findings is that businesses can do more around training to protect themselves.
Another report still – from the technology conglomerate Verizon – takes a more global perspective on cyber security. Its latest annual Data Breach Investigations Report found that nearly 20% of incidents were caused by employee human error – i.e., routine workplace mistakes.
Clearly, learning needs to be higher up on the boardroom agenda than it is right now. As the Verizon report states, ‘Make people your first line of defence. Do your employees understand how important cyber security is to your brand, and your bottom line? Get them on-board; and teach them how to spot the signs of an attack and how to react.’
Moreover, it is not just rank-and-file personnel who need the training: senior executive management must get involved. Through leading the company’s risk-mitigation measures, they would be saying to everyone else: ‘Hey, this stuff matters’. And, of course, they would be on top of the issue themselves. Therefore, training recommendations apply equally to the c-suite and boardroom employees as they do to ‘frontline’ workforce – that’s to say, when it comes to cyber defences, everyone inside an organisation is targeted, which is to say, everyone is now ‘frontline’.
This means that everyone needs to know what the risks are and how to swiftly escalate a potential threat. There’s also a forceful argument to suggest that senior executives, Human Resources, Learning & Development, and team leaders be among the first to undertake cyber awareness training. So, let’s review some baseline measures that delineate these changes.
GDPR: employees’ responsibility
We have long seen that people represent a huge vulnerability for organisations, largely because hackers are exploiting a general lack of security awareness knowledge, added to which, attacks are growing in sophistication. While the introduction of the General Data Protection Regulation (GDPR) in May 2018 has done much to focus minds on enterprise data security risk, much more needs to be done. The reports earlier referred to suggest that training is being left out of the risk mitigation equation – and that is why human error remains such a significant factor in breaches.
Employees have a major role to play in combating these cyber threats – but only if they know how to. For instance:
- Can employees spot a phishing email?
- Are they aware of what constitutes protected data?
- Do they know the consequences of clicking onto a suspicious link?
- Have they been advised how to escalate an issue if they do spot a risk?
- Do they know the importance of rapid response and why this is so critical?
- Are staff advised on what to do if they see risky behaviours in colleagues?
Most employees will not require the same level of training as security teams, but they do need to know enough to be aware of possible threats, and how to take preventative action. However, we believe there are training pitfalls to avoid (see ‘Practice Pitfalls’ sidebar, facing page).
Compliance training will not be effective if it’s one-off, overwhelming and well, dull; and if it’s not pitched or tailored correctly to the audience. The starting point is to motivate the workforce by instilling an understanding of the importance of cyber security to the company and to customers.
If they understand what’s at stake, they will be more vigilant, from day-to-day. This is where managers have an important role to play, by also undertaking necessary training and leading the messaging.
In its approach, training should focus on the most important things that employees really need to know. Don’t bog them down with irrelevant information. They’ll need a grounding in how to identify and respond to potential risks, and in knowing what safe and unsafe behaviour looks like. We recommend delivering this essential learning in manageable chunks that’s quicker to learn and easier to remember.
Cyber security is a serious subject – but that’s all the more reason why the learning experience needs to be creative, fun even. The aim, always, is to have engaging learning that employees ‘want to do’ rather than ‘have to do’. Creativity in compliance might sound like a contradiction; but adopting this approach ensures that the message resonates with the audience.
GDPR effectuation posed a huge compliance challenge for organisations. There was an urgent need for organisations to make their workforces aware of the updated, stricter regulations. Clearly, in-depth training that involved hundreds of pages of text would just never work. People wouldn’t read it, let alone remember it. In response to this learning need, my company Sponge worked with GDPR experts to create the content for an off-the-shelf GDPR learning game, built by combining learning game theory and mechanics.
GDPR Sorted
Sponge’s digital game, called ‘GDPR Sorted’, can be played repeatedly, to teach the core principles of the regulation to workforces – without becoming boring or off-putting. To date, ‘GDPR Sorted’ has been rolled-out by 20 organisations operating across Europe: they include DPD, Krispy Kreme and Soak.com. “It took a boring topic and made it more engaging,” according to Nicky Prangley, HR Services Manager at Krispy Kreme, “so that employees are quite happy to complete the training.”
For it to matter to employees, the learning should be meaningfully relatable to their world and experience. Finding the human stories behind the statistics enables people to connect with issues around cyber and data protection.
One way of engaging people in this way is to use real world scenarios in digital learning, where employees can make decisions and influence what happens next. Cyber security training should offer employees the opportunity to try it out for themselves in a context where they can learn from the decisions they are obliged to make. Again, learning games can prove the ultimate sandbox for this, because the learner can play until they have mastered the information. If they get it wrong, that’s fine, and better in a learning context than a real-life scenario.
In a similar context, Sponge has also been working with a global restaurant brand to develop an Augmented Reality (AR) card game aimed at educating several hundred franchise owners on cyber security best practice. The mixed reality game covers threats from physical security breaches – such as ‘dumpster diving’ and ‘tailgating’ – to digital breaches such as phishing, DDoS (Distributed Denial-of-Service) attacks, Cross-Site Scripting (XSS), and SQL (Structured Query Language) injections.
Delivered via a series of roadshow events aimed at franchise owners, the game brings together those with overall business and cyber security responsibility to raise awareness and knowledge. To play the game, teams comprising of five players – three business leaders versus two hackers – battle it out for a place on the leader board. The hackers (the attackers) are trying to ‘earn’ money, while the business leaders (the defenders) are trying to oppose the attack.
By the end of the training, each player will have learnt the key messages around cyber security and know how to apply the learning in the real world. The aim of the game is to help business owners determine a sound business and financial strategy for their restaurant outlet via a simulation game. As with ‘GDPR Sorted’, this is ‘applied learning’, where people learn by taking part in scenarios. The underlying argument is that seeing the consequences of decisions made is far more powerful and retentive than reading a book of guidelines or a lengthy list of ‘dos’ and ‘don’ts’.
In this particular instance, the game is part of a blended learning approach, not a stand-alone experience. An immersive game like this does more than simply teach people; it also generates a buzz; it gets them talking and thinking about security on a daily basis. Employers can harness this interest to generate behaviour change.
It only takes a single lapse to undo good work. Therefore, it is essential to keep learning ongoing; regular refreshers and updates should be part of a continuous campaign or learning programme. This could include an updatable game, emails, or microlearning – short and snappy refreshers that fit into the working day schedule.
Two of the calls-to-action that emerge from the aforementioned reports are that there needs to be greater ‘hands-on’ engagement from the very top, and that employees must have a level of training. With the first theme, the evidence suggests that a change in culture is required. Risk management and data compliance should be placed firmly at the heart of organisations and high on the boardroom agenda, so that doing the right thing is top of everyone’s minds whenever they are at work. To fix the second action call, the answer is fairly clear: organisations already have their own in-built ‘firewalls’ – their people. So why not arm them with the necessary skills?
Guidance: Practice Pitfalls
Six of the most common mistakes organisations are prone to make when it comes to GDPR training…
- DOING NOTHING
To ignore the need for awareness training puts your organisation at greater risk of a breach and the subsequent reputational meltdown. GDPR places a responsibility to embed data protection ‘by design and default’. As part of this, ‘regular and refresher training is a must’, says UK ICO. - FORGETTING THE AUDIENCE
Rolling out the same GDPR compliance training to everyone means no-one gets the right training. High-risk data users need a different approach to the general workforce. Segment the training, so high-risk employees benefit from a bespoke programme. Meanwhile, introduce the basics of GDPR to lower risk data users in an engaging and accessible way. - OVERWHELMING EVERYONE
Handing-out documents with every GDPR dot and comma to all your people and saying ‘remember that’ is a recipe for failure. Instead, focus only on what they need to know about GDPR for their jobs, and which behaviours related to data protection are most important for them. - ‘ONCE A YEAR’ SYNDROME
Annual GDPR training is not enough. GDPR compliance requires continuous learning and reinforcement opportunities to avoid lapses. Continuous learning helps people to apply their training daily, and contributes toward a data safety culture. - BOX TICKING
With GDPR training, don’t just tick the box, think outside of the box. If your GDPR training is found dull and boring, employees won’t engage and they won’t learn. To be effective, learning about GDPR must be memorable, so ‘rebrand’ it as an experience that people want to do. - IN ISOLATION
GDPR learning loses effectiveness when delivered in isolation or bolted on. For maximum impact, build a GDPR learning campaign with preparation, activation and sustain phases. Use a mix of learning activities: something for everyone.
By Louise Pasterfield, Founder & Managing Director, Sponge.