COMMENTARY
The recent movie The Beekeeper begins with a cyberattack against a victim unfamiliar with the tactics and techniques attackers use in today’s technology-driven world. The film’s protagonist, Adam Clay, played by Jason Statham, then goes on a digital vendetta to find the responsible adversaries and ensure they can’t continue extorting victims through common cybercrimes.
As much as our security teams would love to do threat hunting like Clay, we lack the physical physique and combat skills. And we know spreading awareness is a far more effective approach. Keeping the workforce fully educated can be a monumental task. However, it’s the one thing that can entirely mitigate threats that target individuals. Some of the new ways of training involve old techniques.
Adaptable > Repeatable
In cybersecurity, technology operates predictably, but humans do not. As security professionals, we need help remembering this. The distinction underscores the need for person-led training during an employee’s onboarding. Interactive training acknowledges human complexity, emphasizing the importance of adaptability in response to new threats and individual learning styles. Unlike automated training, person-led approaches can quickly adjust to address unique challenges and learner needs, making them more effective in promoting a deep understanding of security practices.
How quickly can your organization adapt to AI-based threats? Since human error accounts for almost 90% of all data breaches, organizations that prioritize their work and resources on risk will have a difficult time finding anything more important than an educated workforce. Train people with people. Use security champions if your team needs more resources or has time zone constraints. But overall, try to do something other than automate the process.
Build Storytellers
Creating a solid cybersecurity culture involves enabling employees to share their personal experiences with security issues openly. Most people have learned their most valuable security lessons based on stories from other people. Sharing security stories may not come naturally to employees, and we need to teach and promote this behavior. During training, ask employees to discuss how cybersecurity has personally affected them in the past. Ask them about their familiarity with safe password hygiene or social media posts. This open-discussion initiative can help them feel at ease with the topic and understand that the organization encourages it.
Test the Response
Implementing specific tests and monitoring employee behavior is essential to gauge the effectiveness of a security program. We know new employees will receive the fake text message from the CEO requesting gift card purchases. Try a simple smishing or phishing simulation with new employees to see if they proactively reach out after detecting the attempt. If employees actively communicate with each other about phishing campaigns, share security-related news, or discuss various security topics, it shows they have a sense of confidence and proper education in cybersecurity. This level of engagement and vigilance among staff members highlights the program’s effectiveness in fostering a proactive security culture. When you see it, be quick to reward it.
Conclusion
Unlike The Beekeeper, we won’t be able to hunt down the adversaries and kick some butt. Instead, developing a robust security culture through awareness is our fight against cybercrime. Encouraging employees to share their experiences with security enables a sense of community and vigilance. Personalized training plays a critical role in this ecosystem. It’s not just about delivering information; it’s about tailoring the learning process to meet diverse needs and respond to emerging threats. We can assess how prepared our employees are to identify and counteract potential threats through testing.
The benefits of these strategies extend beyond the office walls. We’re not merely educating our workforce; we’re equipping them with knowledge that transcends the professional environment. This empowerment boosts their confidence, making them safer and more adept Internet users, at work and in their personal lives. By investing in their cybersecurity skills, we’re contributing to a safer digital world for everyone.