This summer saw two of the UK’s largest businesses experience cyber-attacks. M&S disclosed approximately £300 million in losses and Co-op reported £206 million lost in sales from a similar breach. These examples remind us just how critical it is to ensure employees can combat online manipulation and prevent organisations from being infiltrated.
When it comes to cybersecurity, traditional compliance training doesn’t go far enough – behavioural change is a must.
Why traditional training fails
Current approaches often view awareness as action, yet time and again employees unknowingly compromise company systems.
Take Canadian airline WestJet as an example. Their internal systems were infiltrated when attackers impersonated employees to trick the IT help desks into granting access and, once inside, they stole sensitive data that impacted 1.2m customers.
Social engineering is one of the key manipulation tactics cyber criminals use on employees to get their foot in the door of an organisation’s system. Employees must therefore be able to recognise this impersonation and respond appropriately, even under the high-stress reality of a live incident.
Implement ‘see, feel, change’
Leaders can build a sense of urgency among their team by using Kotter’s tested research on “see, feel, change”. The traditional “analyse-think-change” approach seldom has the needed impact.
Surveys show that 70% of medium businesses and 67% of large businesses faced breaches in the past year. But referencing these statistics to highlight the severity of the situation won’t actually inspire action. People stay in “analyse” mode and can make up reasons why they’d be in the 30% (even if it’s 2%).
So change your tactic. Instead of statistics, run a (small) scenario experience. Bring in a leader from a hacked company to explain what it felt like to have to make the call to say they’d been hacked, and the feeling of letting down customers. Go on-site to a company (or just walk through an M&S) to help your leaders “see”, and then “feel”. It is our emotional drive that most often leads us to change behaviour, not our rational understanding.
Foster a security-first environment
Redesign how you introduce new starters, so you not only show the company’s vision but also embed a culture where safeguarding is a priority.
Instead of sharing slide decks with information, use practice drills that mimic real attempted cyber-attacks. Doing so enables employees to see how to deter an intrusion. Using time pressure, realistic emails with company branding, help desks with accurate information, and invoices with familiar vendor details force employees to make judgement calls, not just recall facts. This generates short-term wins that can be recognised and used to track progress and energise employees.
These exercises need to align with the employee’s role. For example, help-desks should be faced with practice drills that require verification of caller identity before giving details to impersonating employees who are locked out and angry.
Attackers have moved past generic phishing emails, they research their targets and use authority and urgency to spark reaction. Your scenarios should mirror this to be effective, initiating the same stress employees would feel in a real breach attempt.
When running these programs, behaviour, not completion, should be the measure of success. Celebrate the employees who pause when something feels off, follow the verification process set by your organisation and escalate to security when in doubt. You can also track the time to report the phishing, the quality of their escalation, and whether they declined a suspicious request.
Breaking silos to sustain change
Cyber resilience is a change initiative that requires cross-functional ownership and sustained engagement. As an L&D professional, you must mobilise networks to reinforce your training and sustain the change.
While you present the instructional design:
- Lean on IT for technical controls for your drills and to enhance your initiatives
- Meet with business leaders to ensure the training aligns with specific roles and their operational realities
- Work with management to create a sense of urgency on the topic company-wide to help catalyse the change.
Once all these groups work in partnership, the next step is recruiting ‘security champions’ to coach peers – invite those who demonstrated the best behaviours in the drills to take on this role.
This will anchor changed ways of working by making defence a common opportunity and collective goal that defines excellence. These champions can help manage peer learning and feedback loops. It provides teams with an opportunity to debrief after drills to discuss what was noticed, what was hard, and what strategies worked – all in the pursuit of making security everyone’s responsibility.
Adapting for a changing cyber landscape
Traditional compliance plans solely built on presentations and quarterly workshops fall short in the volatile and active cybersecurity landscape.
Cyber threats are becoming more complex by the hour, so your training must continually adapt to this. Building training where employees don’t just know the rules but act on them instinctively, even under pressure, will unlock your organisation’s potential to protect what matters most.
