Companies are spending significant resources trying to reduce security risk among employees. And they spend billions each year on training, yet major data breaches continue to make headlines, and human error remains the leading cause of a breach. Where's the disconnect?
One major problem is that companies haven't adapted their security training as quickly as cybercriminals have evolved their attack methods. Cybercriminals increasingly target specific employees based on real-time factors like tenure, department, and location to make their scams more believable. To safeguard against these threats, security training must be as tailored and sophisticated as attack methods.
There are a number of factors and behaviors that affect a particular employee's risk. Here are four of them, and how security training should take them into account.
Department and Job Function
Cybercriminals craft convincing scams by tailoring them based on an employee's department and role. They comb platforms like LinkedIn and company websites to find these details.
Security training should be tailored by job function and provide employees with real-world examples of the scams most likely to target them. For example, the CFO and finance department might be targeted by more business email compromise attacks like wire transfer fraud, and they should be trained on them accordingly.
Human error also differs by department. For example, sales teams often have access to large swaths of personal information. Train these teams on how to avoid data loss risks, like sending documents or attachments to their personal emails.
Individualized training allows companies to prioritize training for employees with access to sensitive data, such as customer Social Security numbers and financial information, and for the departments that are most often targeted. For this reason, information on employees' roles and access should be automatically updated.
New employees are often specifically targeted by hackers, and social media makes this easy. Tessian found that 93% of US respondents post about a new job on social media.
Because new employees are less familiar with colleagues and company security protocols, they are often less able to identify abnormal requests. Cybercriminals know this and take advantage of it. For example, they'll pose as an IT team member or customer service rep asking for login credentials to set up software or account permissions.
Security training and tactics should focus on where new employees' vulnerabilities lie so they know what to look for. A careful review of security guidelines and best practices should be integrated into the onboarding process early on.
Remote or In-Office Work
Security was a major challenge for many companies during the transition to remote work. Now they will face new hurdles with a complex shift to hybrid work. It's highly likely that cybercriminals will continue to target remote employees and take advantage of any uncertainty caused by the hybrid workplace.
Distraction is an important risk factor here. Over half (57%) of employees say they feel more distracted when working from home, while 47% cited distraction as the top reason for falling for a phishing scam. People tend to make more mistakes, like clicking a link without verifying an email sender, during these situations. It's also more difficult to verify a legitimate request from a colleague when you're not in the same location.
Employees should be trained on the specific security risks unique to working from home, in an office, or in a hybrid environment.
Risk of Human Error
Security training often focuses only on risks like phishing scams that aim to trick employees. But simple human mistakes also lead to data breaches — for example, when an employee sends sensitive information to the wrong email recipient. The most effective tools will flag this behavior in real time as an employee is about to make a poor decision. Humans learn best in context, so training is best delivered in-the-moment rather than in lengthy modules that happen once per quarter.
Training has an important opportunity to make employees aware not only of general security risks, but also improve their individual behaviors over time. Do they download large amounts of sensitive data when they only need to access a small portion? Do they have a history of falling for phishing scams? Security reminders should be tailored to past behavior and delivered consistently.
This is not about shaming or punishing individual employees. The goal is to arm them with specific, relevant knowledge based on their own workplace habits.
Better for Employees, Better for Organizations
Tailored training is a win-win for both organizations and their employees. Instead of sitting through long, boring training sessions that interrupt productivity, employees' time can be spent only on the most relevant information. Training becomes more engaging and more memorable. Meanwhile, organizations save resources by making training more effective and efficient. The ultimate goal is to create a wider security culture that leaves the organization better protected overall.
Cybercriminals are consistently refining their techniques to trick employees, while workers are put in charge of more and more data as companies digitally transform. Security techniques should, similarly, continually incorporate new methods and technologies. By analyzing unique risk factors and making security training both individualized and automated, security leaders can protect employees without disrupting their work.