We’ve all been through fire drills in our lives, probably since our early days back in elementary school. Single file, walk, don’t run, then meet outside across the street or by the flagpole — it’s the same routine every time.
OSHA doesn’t require fire drills, but your local fire code enforcement, office building, or insurance carrier may mandate you to hold them periodically. Heck, our office space at the Atlanta Tech Village even gives us ice cream (pre-COVID) when we all went through the motions!
If you are required to conduct fire drills, shouldn’t you know why you are doing them? Is it to check the box for compliance? Is it to test every employee? Is it just to be annoying several times a year for everyone? Are we just going through the motions based on a routine?
I would believe the goal of requiring organizations to hold periodic fire drills is to ensure the safe evacuation of employees during an actual safety emergency. This is the time to practice in a safe, simulated exercise. So are we really meeting that goal and do we feel prepared?
Let’s tie this concept back to the goals behind our security awareness training to see what we are missing.
For most employees, fire drills just simply seem annoying. Think about the last fire drill you participated in. What were your feelings as it was happening? Were you in the middle of a meeting and had to leave the building, or on an important phone call that you had to end because of the alarm going off in the background? How did that make you feel? Did you feel like your time was highly optimized and were so happy that you were able to participate in such an amazing, educational preparation event? I’ll wait.
Chances are, you’ve never been in a building that was on fire. You don’t have that personal story to understand why it’s so important to practice escaping from fires. In one apartment complex I lived in, the fire alarm would go off several times a month, mostly at 3 a.m. and it was loud! False alarms are the reason people hate fire drills and a big reason why people feel they are a waste of time. I really didn’t like fire drills either. I’ve never been in a burning building so I have never had that real-world experience.
While the threat of a building fire is real, the threat of a cyber attack and the likelihood it will impact someone you know is a much harsher reality. It’s much more likely for a disaster to hit your email inbox than for your building to catch on fire. So why does boring annual security awareness training feel like a waste of time for everyone participating? Why does this digital equivalent seem like such a waste of time?
Like fire drills, how are we ensuring that our employees actually understand the impact of why we’re training them about cyber security? Are we truly aligned to that goal, or are we just simply going through the motions?
If a fire drill is designed to train people on how to escape from fires, cyber security awareness training is designed to prevent the next data breach or cyber attack that could wreak havoc on your business.
The fire drill concept is flawed. Why is that? Because it’s the same routine over and over again. False alarms, year after year, drill after drill — nothing changes and everyone knows it. But what if you modified fire drills with a new approach that makes people have to think instead of simply following the same old process?
Some of those suggested modifications for training include making the first floor unavailable or closing off the stairway everyone uses to exit the building, or put some people in the restrooms and make them wait. Pretend someone is injured and can’t walk. Change it up. Make them feel as if this was a real emergency with real actions. Anything that challenges your employees to apply critical thinking skills for how they might respond in these different scenarios.
You have to do things that are out of the norm to get employees to actually use their brains during their security training.
Otherwise, if you just treat cyber security training as a routine exercise, you’re teaching people simply to go through the motions which won’t save your organization from the next cyber attack. Instead, you need buy-in from every single employee to understand their role in defending against cyber attacks.
For example, you may already run an annual cyber security training, telling your employees to be on the lookout for suspicious emails. Don’t do this, don’t do that… it’s a bunch of Death by PowerPoint slides bundled together with bullets of complex legal language. Sound familiar?
A comprehensive security awareness training program is more than just a once-a-year check the box exercise. Far too many times, I see this exact same concept being applied to security awareness training programs: an annual exercise to simply say ‘we did it’ to an auditor instead of focusing on the topics that could help employees defend themselves and your business.
How can you change the perspective so your employees get engaged and actually learn from their security awareness training? After all, you’re relying on them to help protect your organization from cyber attacks.
So how can your security awareness program be more effective? Well, let’s look at the big picture.
Phishing always gets the most attention, and almost every organization with a solid cyber security program is running phishing simulations. But how to actually train employees about how to stop phishing is not being discussed in the detail it needs to be. More and more tests don’t solve that. Each and every employee needs to develop the soft skills that are needed on the cyber side to really understand how to block the bad guys attempting to hack them and their peers. Beyond phishing, there are a ton of other risks that employees face every day. They need to be prepared.
Phishing tactics continue to work all too well to convince someone to give up sensitive information, like their social security number, or their credentials for a work account. The Marriott data breach that impacted approximately 500 million people started with just a few employees becoming compromised via email.
When we talk about building a culture of security it’s more than simply just checking the box.
Together, we’re on a mission to create impactful security awareness training programs that are fun and memorable. Your continuous security awareness program should be sending out simulated phishing tests, creating awareness campaign themes, talking about the latest hacks, giving security advice for our families, offering incentives, listening, and generally putting in the effort it takes to build a security culture. Put in the effort your security awareness program deserves.
Don’t let your security awareness training become a digital fire drill.
Your employees don’t care about a boring annual Death by PowerPoint training. I’m sorry that’s just not going to get their attention or make them care. In fact, these sessions only make employees resent security instead of embracing it. Employees will only listen to what catches their attention, what’s relatable, and what will make a true impact in their own personal lives. Employees listen to stories that can impact them. Employees should take cyber security personally first and foremost.
So the next time you’re pushed through a fire drill, think about what’s really happening. Think about how you and everyone else would act during a real emergency. Remember, this concept about fire drills is no different than going through the motions of security awareness training.
We’re all in this together to help defend against the biggest threats to your organization. To learn more, check out our free episode to see how you can level up your security awareness training program.
CISSP, CISA, Chief Executive Officer of Curricula.
Originally published at https://www.getcurricula.com on July 14, 2020.