The shift to working from home during the COVID-19 pandemic brought with it a 300% increase in cybercrime. Wandera’s 2020 Mobile Threat Landscape Report stated that every three minutes new phishing sites pop up. And in April of this year, 18 million phishing attempts were blocked by Google each day for a week. Cybercriminals are enjoying the dispersed work environment and making good use of the chaos, curiosity, and uncertainty. Without the structures of the work environment, employees are relaxing their diligence in cybersecurity awareness and criminals are taking advantage of it.
Phishing is Working — And Employees Are Vulnerable
The scarcity and conflicting narratives in media allow phishing to thrive during this global pandemic. By leveraging highly searched information, criminals create new ways to trick the curious into clicking on unknown and dangerous links. Further exploiting the chaos and uncertainty of COVID-19, bad actors convincingly spoofed large, international organizations and websites, like the World Health Organization (WHO) and the Center for Disease Control (CDC), to smaller, local, and regional health reports.
Combine this trend with the shift to workers working from home in their different stages of alertness and focus. Maintaining vigilance is hard enough in a known setting, but balance it with parenting, teaching, and family demands while shifting through emails on couches, hallways, and makeshift offices in bedrooms — it becomes easy to let down one’s guard for the sake of speed or convenience. That is even if they remember the training — which could have been a year or more ago for some due to shifts in scheduling and availability of training with the pandemic.
Rethink How Employees Are Being Trained
Most cybersecurity awareness training has evolved out of compliance training which is based on checking a box of completed or not completed. It’s a traditional training, consisting of an annual lecture followed by attempts to remind employees throughout the year with posters, emails, and newsletters. Occasionally there might be a phishing test. The results are generally unsurprising and unsatisfactory.
KnowBe4 reports that about 38% of untrained employees fail phishing tests. Generally speaking, when it comes to phishing, employees are doing well at not entering data into forms. They’re a little worse at clicking links (35% failure rate), but if there’s an attachment, rates skyrocket to 65%. Worse, this number increases to 90% when the email looks like it comes from a recognizable internal account or alias. The largest phishing successes revolve around carefully constructed emails that look and feel like an internal company or organization email. These emails can contain attachments that are highly likely to contain malware. Without staying alert to phishing risks, it’s no wonder the average employee is the greatest vulnerability to organization’s security.
When someone at a company continues to fail at training the immediate accusation generally is that the employee is the problem. More likely, the problem is the training. Most cybersecurity awareness training today is inadequate and literally unmemorable. Traditional training techniques rely on large mind dumps and infrequent, spotty reminders which aren’t the best way to create change or skills growth. Behavior change is created with time and repetition. Decades of research back this statement up, but the training has not evolved to match the data.
Why Don’t Current Training Models Work?
Many organizations from higher education to large enterprises have used Learning Management Systems (LMS) to manage and deploy “canned” training. The metric measured is whether the user has completed the training. In the last several years, comprehension questions were added to see if there is any immediate retention of information. It’s the ultimate college cramming. If you know there will be a few follow up questions you mentally store information into short-term memory to allow quick recollection of facts. Within a day, that individual will likely not be able to recall the bulk of the content, questions, or little more than the main category of training. They knew they didn’t need to store the information any longer than their short-term memory.
The current training platforms and methods are not creating behavior change because they are fundamentally flawed. The approach to training in cybersecurity must evolve and get better. Training is only beneficial if it changes behavior. Yet, traditional training only communicates basic information without empowering core behavioral change. To change behavior, material has to be remembered and integrated into actions that through repetition become default behaviors. Annual training can’t accomplish this. And we’ve known that for over 135 years.
Ignoring Decades of Scientific Research
In the first 20 minutes after training, sharp declines in retention have already occurred — and those losses continue significantly for a full hour. This was discovered by Hermann Ebbinghaus in 1885 when he plotted his research findings about memory on a graph and created “the forgetting curve.” His research further demonstrated that by having to frequently recall or revisit training, forgetting is reduced. Despite this knowledge of how the mind remembers and forgets, current training conditions result in fifty percent of training being forgotten within an hour.
Roughly a hundred years after Ebbinghaus’ first research, in 1976, Scottish researchers A.H. Johnstone and F. Percival reported that students only had 10-18 minutes of “optimal focus” before their attention faded. When that attention stopped, it dropped off suddenly and took with it their ability to retain information. The proliferation of technology, including smartphones, has further globally diminished our focus and attention span to a fraction of that time. Johnstone’s research would go on in the 1980s to show that the human mind can only hold six to nine pieces of information before the same sudden and severe drop in memory and attention happens.
Science demonstrates that people only have a limited window of a few minutes where learning happens and that the average human mind can only hold six pieces of information before it shuts down. If training is done in small blocks of time with the right amount of information, retention of material increases dramatically to nearly 90%.
The Solution
Microlearning, learning done in small doses and repeated over time, reshapes traditional long form training. Changing material into bite sized units allows the user to retain the information longer. Repetition of the material helps wire the neural pathways into habits. These short actionable messages are repeated in a variety of methods that highlight varying learning styles and activate neurochemicals.
This regular revisiting of information reinvigorates memory and increases retention which creates lasting skills and behavior change. Instead of old school, long sessions of training that are almost instantly forgotten, learners engage with smaller, shorter doses of learning that are repeated, focused and gamified.
Gamification itself is a key part of effective microlearning. It takes microlearning and involves the employee, or learner, in a process and gives them a proverbial carrot rather than a dreaded stick or compliance check box. Gamification is more than badges and points. It needs to include competition and cooperation, various psychological drives, and the ability to measure progress, in addition to scoring, rewards, leaderboards, and other visual cues.
Engagement Matters
Microlearning and gamification not only make training more effective, they increase engagement. Beyond the neurochemicals triggered when learning is fun, which makes the learning an addictive pleasure versus an external requirement. Gamification and microlearning appeal to core drives in the modern workforce. CISOs need to take a hard look at gamification as a way to engage, train, and retain millennial employees. In talking to a recent large mega-university in the Midwest, their CISO confirmed the shift in demographics. His IT department is 60% millennials. By 2025, workers who are Millennials (born between 1981 and 1996), will constitute 75% of the workforce. The future is here, as are new generations of employees that are demanding change in the way we train and show competency. They want to show they can be engaged but are refusing to waste time using platforms that miss the mark and don’t meet the needs of their generation.
Traditional training techniques are a century old and ignore important advances in knowledge and learning. The current chaos of the pandemic has exposed their ineffectiveness and reminded leaders that the true goal of any training is change and development — not just checking a box. And the new generation is not tolerating a return to old ways that repeatedly fail. Using training that creates true skills growth and behavior change will empower employees to keep their organizations secure — whether in the workplace or at home.
About the Author:
Heather Stratford is Founder and CEO of Stronger International. Located in Spokane, Wash., Stronger has quickly grown into an internationally respected provider of high-risk cybersecurity consulting, corporate training, and cloud-based educational programs for corporations, educational institutions, government, and military organizations. Stronger International empowers firms to create stronger, more efficient, and more secure cultures. For more information, visit https://stronger.tech.