I miss eating in restaurants.
I miss hugging my friends and relatives.
But maybe, most of all, I miss coaching youth basketball.
Were this a “normal” year, I would have spent a good part of last weekend coaching third and fourth graders in how to do a “pick and roll,” a standard basketball play.
The pick and roll is not easy to learn, mostly because it’s unintuitive, requiring players to turn in a direction that doesn’t, at first, feel natural. So, whenever I teach it, the kids “roll” the wrong way – with their back to the basketball!
No matter how many times I show them or tell them, I can’t correct it until we start practicing.
You know what I never do? I never yell, or shame, or belittle them for doing it wrong. And not just because they are nine years old. It’s because humans – of all ages – don’t respond well to that approach.
Everyone does things wrong when learning – that’s why we teach!
When it comes to training our employees in cybersecurity best practices, the same logic applies: train, don’t shame.
Humans Are Your Weakest Link
Nowhere is effective training more important than on the subject of phishing, an attempted security attack in which an external party tries to trick someone into clicking a link, downloading a file, or otherwise taking an action that will hurt your company.
Whatever the specifics, the reason phishing is so common is because your entire employee base is a potential target. Unlike a tech control that is overseen by your IT administrators, any one of your users can unknowingly open the door or provide vital information (or money!) to bad actors, often with disastrous results.
But wait, it gets worse. When it comes to phishing, many companies exacerbate the problem. First, they fail to adequately train their employees on how to recognize and respond to a phishing attack. Second, when an attack is successful, they punish (even terminate) those who get fooled.
Do You Have a “Shame-Based” Cybersecurity Program?
If you punish people for getting phished, you are going to undermine your cybersecurity program. Like the pick and roll, defense against phishing is a learned and unintuitive skill – it needs to be taught and positively reinforced.
Remember that in most instances, a successful phishing attack is not a case of “failure to apply common sense.” We are not talking here about emails written in broken English with requests to send money to a faraway place. When we roll out phish-testing, every client I work with has a segment of its user base that gets fooled – the best phish will hook even the most sophisticated users.
So, try this approach instead…
#1. Establish a computer-based training program with a focus on phishing.
You’ve got new employees starting all the time. A computer-based program allows you to track who has taken which programs, as well as standardize the training and continually update it as needed.
#2. Communicate expectations to the organization.
It’s one thing to say that phishing attacks are something the company needs to avoid and leave it at that. It’s quite another to have the CEO stand up at an all-employee meeting and reinforce the idea, inviting everyone to speak up if anything appears suspicious. Leadership needs to make this a priority.
#3. Run phishing tests regularly.
Just as my young basketball friends cannot learn the pick and roll until they actually get out on the court and try it for themselves, your employees need situational training. That involves sending out fake fishing emails and seeing who clicks.
Testing will allow you to identify the at-risk players and most problematic situations, helping you to pinpoint the areas of training that need enhancement.
Of course, some people will require disciplinary action for repeated or egregious mistakes. But that’s a last step, not a first step. If your employees are failing, chances are it’s because your training isn’t up to par.
#4. Reward good behavior.
Many companies have a “report phishing” button built into their email system. Not only does this allow you to flag and immediately remove all similar emails within the network, it’s an opportunity to recognize those who correctly identify suspicious messages (more positive reinforcement).
Humans are Key to Your Cybersecurity Program
Employees and grammar school athletes alike want to do a good job. You’ll realize the best results when you commit to training them well, helping them stay sharp, and continually reinforcing positive cybersecurity behavior.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click. You won’t get any phishing emails from us, we promise!