As we always say, a crucial aspect of good cyber practice in the workplace is education. Employees can either be a strength or a vulnerability to an organization’s network, depending on the knowledge and training they receive. So why not make them as strong a defense as possible?
John Sileo at Security Magazine puts forward a really creative idea for an effective way to do so: put simply, games. According to a PulseLearning study, 79% of respondents “would be more productive and motivated if their learning environment was more like a game.” These employees feel a heightened level of engagement when a gaming context is implemented.
I can’t say I find this surprising. In my own personal experience, from both a student and teaching perspective, games can be used to communicate lessons in a highly effective, participatory way. They can put the student or employee in a central role, allowing them to have an active effect in a simulation, all the while enforcing the lessons critical to the venture. I am all for this. Employing new methods to boost cybersecurity awareness in an enterprise can only be a positive.
This is just a part of the overall recommendation, which takes an approach of rewarding success rather than punishing failure. Especially they haven’t even been properly educated on a subject that even executives often fail to grasp. Employees don’t necessarily care about a company’s bottom line too much, which is why Sileo suggests guiding them through cybersecurity education as if their own data was at stake. If a person adopts good cyber practices in their daily life, those habits are more likely to translate to their work environment. This, of course, is the purpose of all the advocacy we and others do for staff training. Penalizing someone whose actions have inadvertently led to a data security incident, when those responsible failed to make that person aware, is itself irresponsible.
Better instead to offer actual incentives, material or social, for getting it right. With the numerous ransomware attacks targeting the healthcare industry (and others), it’s time to rethink old approaches.