Educating end-users is a core responsibility for security teams. Not only are such education programs required by compliance regimes, but they’re also one of the most effective ways to actually maintain security: Users are now one of the key attack vectors for bad actors. The more they know about the threats and how to respond to them, the better they’ll be able to defend themselves and your organization.
But when it comes to end-user education, many organizations do the bare minimum—maybe requiring those users to annually slog through a long video presentation that’s punctuated by quiz questions. Such a program might check the boxes required by your compliance regime or cyberinsurance carrier—but it might not keep your organization as secure as it could be. You can and should do better.
Why Security Education?
Security practitioners get excited about tools and processes that automatically address security issues. But as long as human beings are part of the equation, education needs to be part of the solution, as well.
According to this year’s Verizon Data Breach Investigations Report, 68 percent of known security incidents in 2023 could be attributed to a “non-malicious human element”—errors by people inside the impacted organizations. Those numbers keep growing, which is why security education is so critical.
To be truly effective, such education programs should have two goals: to drive behavioral change and to extend the sense of responsibility for organizational security beyond the security team itself. The key to achieving both goals is to break out of the traditional training mold and engage people on a deeper level than a bunch of “please complete this training module by this date” email prods.
One Size Does Not Fit All
One way to break the mold is to make sure your training program meets people where they really are.
For example, some learn better in private, while others thrive in class settings. Some like to do things at their own pace, while others need a clock ticking to get things done. To the extent you can, you should deploy training alternatives that satisfy those preferences.
Different teams may have their own training requirements. If your organization has in-house developers, for example, you need to be sure they learn about supply chain attacks and supply chain security, which other teams don’t need. Similarly, public-facing teams such as revenue or customer support may need training to learn the ways threat actors may attack those specific parts of the organization.
To the extent your resources allow, you should consider switching up the timing. You could, for example, break up long video sessions into shorter ones scheduled throughout the year. (This might, in the process, improve participation and retention.) Note that every October is Cybersecurity Awareness Month; that’s a great time to layer in additional programs.
You can also think in terms of the employee lifecycle. For example, it’s a good idea to include a module on CEO impersonation as part of your new-hire onboarding. (Bad actors often target newer employees in such attacks.)
Increasing Engagement
In addition to shaking up the standard training logistics, you can also shake up the content.
Take, for example, that CEO impersonation module. You could just play it straight: Here’s a tactic bad actors sometimes choose, here’s what to do about it. But you don’t have to treat it with a completely straight face. Chances are your CEO won’t likely text new hires to say, “I need you to run to CVS to buy me some iTunes gift cards.” (Yes, that’s a real-world example.) While you want to be sure people take the threat seriously, that doesn’t mean you can’t make light of it, too.
Gamifying the training can also help. You could consider things like word puzzles containing security jargon. You could get really elaborate with an escape-room style of game—“Help this organization navigate a cybersecurity event.” You can then gamify the games, pitting different teams or departments against each other, with prizes or other recognition programs as rewards.
In this latter case, the idea is not only to make the content more engaging but also to put trainees in the shoes of a security practitioner: “What should the security team do in this situation?” You want to build empathy for your security mission in stakeholders across the organization so they truly understand what your team does and why.
That, in turn, can encourage them to become the security champions in their teams, embedding security as a concern across the organization. Those champions can then become force multipliers for your security education programs. They can also help keep you honest about tailoring education to individual departments; they can tell you what their peers really need to know.
It's then your job as a security pro to stand in the middle, creating more tailored and engaging content for the different personas across your organization. You create a virtuous circle of security awareness that gets deeper and more engaging—and, therefore, more effective—all the time.
About Kandji
Kandji is the Apple device management and security platform that empowers secure and productive global work. With Kandji, Apple devices transform themselves into enterprise-ready endpoints, with all the right apps, settings, and security systems in place. Through advanced automation and thoughtful experiences, we’re bringing much-needed harmony to the way IT, InfoSec, and Apple device users work today and tomorrow.