A common refrain in cybersecurity circles is that humans are your weakest link. There’s truth in this, but making this the focal point of your cybersecurity training and culture can sometimes have unintended consequences.
A more helpful approach is to find a way to build a culture where humans become the strongest link. How do you begin such a project? The answer lies in finding a way to encourage trial and error in a safe space, to lead with compassion to ultimately reduce threats.
Sound like an oxymoron? Read on.
Don’t Stigmatize Your People
We see the stats all the time about employee errors being the leading cause of data breaches. For instance, a recent study found that 20 percent of employees will click a phishing link; 67 percent of those employees will enter their information into a phishing site. One in every 1,000 DNS queries is malicious, creating a likely situation that the average person will encounter five malicious queries in a day (likely just at work). Another report found that in 2023, malware detections increased by 40 percent and phishing detections increased by 106 percent.
It’s all too easy as a leader to grow frustrated at this situation or start to worry that people are being careless and need to be penalized for it. The problem with focusing too much on the idea that humans are your weakest link or that employees are the problem is that it can put people on the defensive (and not in the cybersecurity way), turn them off, and make them hide their mistakes. While it’s not inaccurate to say that your employees do pose the greatest threat, it’s not the best idea to create a punitive work atmosphere.
In fact, it can defeat the purpose of building stronger security awareness. When staff are constantly told they’re the problem, that can alienate some employees and ensure that they’re not going to absorb the cybersecurity training you’re giving them. Maybe they have questions about certain practices, but they don’t feel comfortable asking them for fear of criticism or punishment. If that’s the case, they may not ask—and then make those mistakes in a real-world setting. Or they may fear the punishment enough that they hide their mistakes and allow a breach. Instead, accepting this reality fosters compassion and further underscores the need for cybersecurity awareness training.
Changing the Approach
So, forget the stick and focus on the carrot. Cybersecurity hygiene and culture can be built so that individuals have a chance to try things out and make mistakes—without fear of retribution—in a training setting.
Make training about learning, not instant perfection. For instance, testing with fake phishing emails can be done in a way that doesn’t punish employees if they don’t understand, but rather creates a safe space for them to practice what they’ve just learned. If they don’t get it right the first time, you keep trying and make it increasingly more intensive.
Don’t use fear as a motivator. Motivating with fear is disempowering and discouraging. Your goal as a leader is to empower your employees in ways that allow them to see what they’re doing that’s risky—and then help them overcome those behaviors. It’s about flipping the problem on its head and making employees the strongest link.
Getting Cybersecurity Training Right
Why isn’t this kinder approach more common? For some companies, it might seem antithetical to the culture when it comes to something as important as cybersecurity. If this is the case, then their culture needs to change so that their cybersecurity can get stronger. Change can be hard, but it’s not impossible. Allow people autonomy and encourage harm reduction by focusing on minimizing risks and promoting safer practices. This helps empower them to make better decisions.
For other companies, resource and budget constraints seem like a hindrance. Fortunately, there are plenty of helpful guides available for teams with strapped budgets.
Here are five key considerations for how to get cybersecurity training right:
- Caring and compassionate leadership starts with being human.
- Educate to the skillset. Understand that it’s not a level playing field and tailor training accordingly.
- Use a harm reduction approach. Accept that mistakes happen and use them as teachable moments and opportunities rather than treating them as failures or irreparable problems.
- Have a plan. Know what you want and how to achieve it. Have a clear understanding of what your key performance indicators (KPIs) for success are.
- Make sure there are safeguards in place outside of awareness training so you're not putting everything on your non-IT employees. No amount of cybersecurity awareness training can make up for a weak defensive strategy.
Toward a Stronger Cyber-Aware Culture
A key to maintaining a strong cybersecurity posture is training. But when training is treated as punitive or as something to “fail,” it can thwart its intended purpose. For improved cybersecurity, employees need to be given a safe place to try things out and make mistakes. In other words, they need a work culture that doesn’t stigmatize mistakes but rather enables them to learn and grow from their errors. Check your current training process against the five best practices noted above to ensure your program is the best it can be.
By Brendan Spooner is SVP, Engineering, at DNSFilter.