Do you ever wonder why some people consistently fail cybersecurity awareness tests? How do they fall for phishing emails time and again? What does it take to get them to pay more attention and not be so careless?
Remember the day you put cybersecurity awareness training in place—a service like KnowBe4, Sophos, or Webroot? That was the day you thought your phishing concerns were over. Nope, it’s not that easy.
The testing strategy employed by these services works for most employees; the simulated phishing tests assess whether they can spot a dangerous email. If they take the bait and open a “bad” document or click on a “bad” link, they’re provided a notification telling them how they messed up or a training video about their mistake so that they’ll know better next time.
You’d hope that after failing a few simulated phishing tests, everyone would learn how to spot a phishing email. But, unfortunately, you might have a few employees who just don’t get it and consistently fail these tests! These few folks put your organization at risk because the chances are good they’ll fall for a real phishing email, too.
What do you do with employees who frequently fail cybersecurity tests?
First, Determine the risk level
If an employee continually fails cybersecurity tests, assess the risk involved with that user before deciding what action to take. Collaborate with the HR department to answer these questions:
- Do they have access to sensitive data?
- Do they have the ability to access funds or process wire transfers?
- If they click on an actual, phishing link, what’s the worst that can happen?
- If they download ransomware, how would it affect the rest of the organization?
For example, at one extreme, you have an entry-level employee who works in a firewalled part of the network and doesn't have access to anything but the internet—a lower-risk situation. At the other extreme, you have a senior-level employee who’s a “local admin” and has direct access to your database—a higher-risk situation. Your attention is better focused on the higher-risk employee. That person may need individual coaching and/or an attitude adjustment.
Reviewing the above bullets may also reveal some technical controls for the IT department to implement. If a single user can bring down the entire file server with ransomware, what technical controls could you put in to mitigate the risk? Consider enhanced access control, strong backups, and/or a rock-solid response plan. Don't rely on multi-factor authentication (MFA) alone as phishing is a common attack vector used to bypass MFA.
Discuss with HR what type of approach would work best for the individual and your culture. Speaking of culture…
a culture of cybersecurity awareness Must Be Priority #1
The IT team can do everything in its power to educate staff about security threats, but will those efforts have a lasting effect? Unless cybersecurity awareness becomes embedded in your organization’s culture, you will continue to have weak links on staff.
Is cybersecurity on the leadership agenda?
Culture starts at the top. Cybersecurity must be taken seriously by leadership and is ultimately the responsibility of the CEO or executive director. Ideally, the highest level of management as well as the board should understand security risks and take responsibility for an organization's cybersecurity.
In reality, IT often takes responsibility for cybersecurity. In that case, it's important to help leadership understand how its lack of attention has a direct effect on the company’s security posture. There are no shortage of reports outlining the real financial cost of cybersecurity incidents that you can use as examples:
Executive and senior staff must be made to understand how big a threat cybersecurity is to your organization—“yes, it can happen (and probably already has happened) here.” Paint a picture of likely consequences if the culture—and, hence, staff behavior—doesn’t change. The cybersecurity issue must be on the leadership agenda so that you can figure out how your culture, policies, and practices need to change to effectively address the threat.
Be a cybersecurity evangelist.
At most associations, cybersecurity is never a topic of conversation except with IT staff. Cybersecurity should be on the agenda at every all-staff meeting—it is that critical. Use stories from the news (and, if appropriate, from your own organization) to explain how those troubling events could happen to you.
Make cybersecurity everyone’s job.
Real phishing emails will inevitably get through even the most sophisticated spam filter. Or, they’ll come through an unguarded entrance—like a personal email someone opens on their work computer. Firewalls and endpoint security software aren’t enough—you have to strengthen your human firewall so that employees don’t become cybersecurity liabilities.
The main takeaway is this: cybersecurity awareness is everyone’s job. It must be part of every employee’s job requirements and part of every employee’s performance review criteria.
Think of it this way: if using Excel is part of someone’s job, and they don’t have sufficient Excel skills, wouldn’t their supervisor address it in some way or document it in their review? Everyone must have sufficient skills to use the internet and email safely, and that means having cybersecurity awareness skills. Leadership and HR must ensure there are consequences for being careless with cybersecurity—no matter who the person is.
Reward Staff That Succeed!
Associations have found novel ways to reward their staff for giving cybersecurity its due attention. Some DelCor clients have distributed bags of Swedish Fish (get it?) to staff who successfully passed tests. Others have rewarded the employees who reported the most phishing emails in a given month. Some cybersecurity training resources come with “leaderboard” functionality to gamify the experience. We get that making something boring like cybersecurity is difficult to make “fun,” but getting silly with the topic will help staff talk about the threats—and ultimately, that will strengthen your security posture!
Reward staff who do the right thing. Acknowledge and thank those who spot real phishing emails or consistently detect the fake ones. Positive and public acknowledgement will help spread good behavior.
Define cybersecurity expectations.
Does your employee handbook say anything about staff’s cybersecurity responsibilities? If not, what about this: does your handbook say anything about physical security responsibilities?
- What happens if someone regularly leaves the front door open when they’re the last to leave?
- What happens if someone repeatedly lets strangers into the office when it’s against association policy to do so?
- What if a staff member frequently misplaces their key card?
Are there consequences for these careless security behaviors? Probably. So why aren’t there consequences for careless cybersecurity behaviors?
Help your HR department develop cybersecurity policies for the employee handbook. Make sure HR communicates these expectations to all staff. When appropriate, compare the severity of the cybersecurity situation to physical security scenarios when appropriate. Make it obvious that cybersecurity infractions are no less severe than physical security incidents.
Enforce cybersecurity policies evenly. Everyone from the IT staff to the CEO must follow the same rules. And, the same consequences apply when individuals put the organization, finances, and member data at risk.
Insist resources be allocated for cybersecurity training.
You shouldn’t have to scrounge around to find the budget to pay for cybersecurity training, whether it’s for a service like KnowBe4 or for customized training sessions. It’s part of the cost of doing business—and your fiduciary responsibility.
Every employee, even the CEO, must have cybersecurity training as part of their onboarding. Everyone must also attend an annual security training booster session. Send automated phishing tests on a regular basis to measure the effectiveness of the training.
Here’s where we get back to my original question: what do you do with those employees who frequently fail the automated phishing tests? If they’re not responding to self-paced video training, you may need to consider more rigorous or personalized training methods. Some people may need one-on-one coaching. But, first ask yourself: is it worth spending time coaching a user who is a low-risk threat? Invest time and resources corresponding to the risk level.
Resources like phishing tests and cybersecurity awareness training will help you protect the association’s data—and your job too. But, you won’t be able to rest easy unless you can convince leadership to help you shift the culture at your association so that everyone considers cybersecurity as part of their job.
This blog was originally published in February 2018 and edited on 5.12.23.