Your employees may be the weakest link in your security posture, but it doesn’t have to be that way.
Psychological research has shown that having a fixed mentality rather than a growth mentality makes us less productive, less effective, and ultimately less happy over time. In other words, it’s better to view challenges as opportunities for growth rather than insurmountable obstacles.
What does this have to do with cybersecurity? A lot, as it turns out.
In recent years, the cybersecurity conversation has been shifting away from a purely technical viewpoint and more toward human-focused security. In other words, it’s no longer just important how good your hardware is, since the reality is becoming ever more apparent that anything can be hacked under the right conditions. The game has become minimizing the appropriate conditions that allow a successful cyberattack to occur. And perhaps the biggest condition that you can control is your employees.
Fostering a Healthy Cyber-Psychology
As we move toward reintroducing human-focused discussion to our cyber defense strategy, we need to start taking elements like human psychology into consideration.
It’s obvious by now that the bad guys are already doing this. I’ve written countless times by now about how the vast majority of cyberattacks are facilitated by taking advantage of human psychology, leveraging techniques like phishing and spearphishing. Hackers routinely exploit human emotions like fear, greed and curiosity to trick us into making snap decisions using our gut instincts. And as we’ve been saying for years, when you rely on your gut to make security decisions, you’re either lucky or you’re wrong.
Knowledge Isn’t Everything
Good cybersecurity training can address vulnerabilities in your user base and close the gaps in your human-focused security. If it’s going to do so effectively, however, we need to undergo a fundamental change in how cybersecurity training is carried out.
We all know the difference between book smarts and street smarts. One of them will get you good grades in school and high scores on pub trivia. The other one may actually keep you alive in a dangerous situation. The same is true in the digital world as well: Knowing the theoretical difference between a virus and a botnet doesn’t necessarily mean that you’re going to detect a phishing attack before it’s too late. Training yourself to notice real-world examples of phishing attempts, on the other hand, can make a big difference in your cyber-exposure over time.
Unfortunately, many training programs in the cybersecurity world focus on book smarts rather than street smarts. We make people memorize convoluted procedures and useless facts when we should be giving them the tools to identify potentially dangerous situations, think through the risks, and make informed decisions without relying on emotions and half-remembered security factoids. In short, cybersecurity training needs to evolve from a simple check in the box into something that can simulate a real-world cybersecurity scenario.
Promote Growth, Not Defeat
“No one wants to get hacked, and if we approach the everyday challenge of practicing good cyber hygiene as if it were a zero-sum, fixed proposition, we’re setting ourselves up for failure.
Most importantly, however, cybersecurity training needs to measure and build up not only employees’ existing knowledge, but also their engagement and willingness to learn over time. By measuring only an employees’ knowledge, you’re treating their cyber readiness as a fixed quantity, rather than something that can be encouraged and grown over time. It’s not just ineffective to say that humans are the weakest link in any security setup — it’s counterproductive. It makes people throw their hands up and give up when they should be empowered to get better. This is a critical distinction that traditional training solutions have yet to fully realize.
Here at CybrQ, we’re taking a stab at solving this training dilemma by creating real-world training challenges on a variety of security topics. These challenges can be triggered at any time, and take only about five minutes to complete. They’re timed in order to accurately simulate the reality that many cybersecurity-related decisions take place under time constraints. Because they’re so short and to the point, they’re perfect for embedding directly into your employees’ day-to-day. And because they take only moments to deploy, they can be easily and cheaply scheduled throughout the year, giving any company the ability to offer semiannual, quarterly, or even monthly cybersecurity readiness training so that when an attack does occur, their people are ready to handle it.
CybrQ’s myLearning solution offers real-world cybersecurity training in a simple, affordable package that’s optimized for small businesses. Our plans start at $750 for a single session, or $1500 one year of training challenges up to a maximum of 250 participants — That’s just six dollars per employee for a full year of cyber awareness training and analytics!
Want to get started with myLearning for your business? Get in touch at email@example.com, or visit https://cybrq.com to set up your account today.