- Advertisement -

How HR can motivate employees to take cybersecurity training seriously

Ani Banerjee, KnowBe4
Ani Banerjee
Ani Banerjee is chief human resources officer for KnowBe4, the security awareness training and simulated phishing platform used by more than 54,000 organizations. Banerjee oversees HR operations across 11 countries and has 30 years of experience in global HR leadership roles working for VMware, Dell, Yahoo and AOL.

Did you know that 80%-95% of all cyberattacks start with phishing or some kind of human error? Technology-based cybersecurity controls are certainly important; however, organizations can no longer afford to ignore the human-related root causes of security breaches. Moreover, employees can serve as an essential layer of defense and a highly effective early warning system for the detection of cyberattacks.

- Advertisement -

The only way organizations can reduce human error and boost security-minded behavior among employees is by increasing their awareness of cyber threats. Workforces need to be trained to recognize red flags behind most social engineering and phishing scams, and in general, understand how vital their role is to protecting the organization from cyberattacks.

But here’s the rub. When organizations run such training programs, many employees simply ignore them or dismiss them, saying, “I just don’t have the time.”

Employee disengagement—beyond the “no time” excuse

While employees might cite lack of time as a reason for skipping security awareness training, the root cause often lies deeper. Employees may not see a clear connection between training objectives and their daily work. They might question the relevance of the training to the company’s goals or their own performance. Boring or outdated training materials can further dampen employee motivation. If the training fails to meet their expectations or feels irrelevant, they’re less likely to be engaged. What’s more, a lack of visible commitment from leadership can send the wrong message that security awareness isn’t a top priority. Without encouragement from management, employees might prioritize other tasks.

Below are recommendations that can help HR and security teams make training programs more engaging and relevant.

1. Define and communicate intent and objectives

Shared objectives foster a sense of purpose and responsibility for maintaining a secure environment. Defining objectives sets the purpose and direction of the training. This clarity helps employees understand what they are expected to learn and how it aligns with their role and the organization’s overall security goals.

Measuring success through established metrics allows for ongoing evaluation of the training program. This data can be used to identify areas for improvement and demonstrate the training’s value to leadership teams. When leadership sees the positive impact employee participation has on security, their continued support is more likely.

2. Get leadership involved

When involving leadership, do so publicly so that word spreads. When leaders lead by example, employees will want to follow. Employees will value training even more if security objectives are linked to performance, business goals and objectives. Who better than business leaders to communicate this?

3. Make it interesting and entertaining

Deliver training content using a storytelling approach. Build analogies and narratives. Make it contextual and relevant for the audience. Illustrate real-life security incidents pulled from news stories highlighting ransomware victims, for instance. Establish an emotional connection, which makes the content more relatable. Also, humor can make training more engaging and memorable. Run phishing simulation tests instead of merely displaying examples from a slide deck. Send newsletters, videos and reminders to keep employees engaged.

4. Gamify, partition, celebrate

Avoid using extensive training materials that require employees to sit through lengthy 60-minute lectures. Instead, break the content into smaller parts and deliver it over the course of a year. This way, training will appear less cumbersome and more feasible. Next, gamify in the way you measure and report results. Set up competitions between departments, incentivize with rewards like gift cards and celebrate successes. Recognize those employees who excel at phishing tests, complete training modules on time, exceed expectations and report social engineering scams regularly to security teams.

5. Motivate with autonomy, mastery, purpose

Autonomy, mastery and purpose comprise a well-known formula for motivating people. In the context of cybersecurity training, “autonomy” means giving employees the freedom to choose which training they prefer and when they’d like to take it. “Mastery” means you want to give participants a sense of progress. Show what they have learned so far. Finally, “purpose” entails making the entire program relevant so that employees feel compelled, inspired and motivated to complete it. This is where leadership skills come in handy.

6. Deploy culture advocates

Corporate culture—or the norms, attitudes, behaviors and perceptions apparent in the organization—works best when it is infectious. Deploying culture carriers and advocates can positively influence the security culture. Find individuals who are passionate about security and use their help to promote security programs among their peers.

Security awareness training doesn’t have to feel like a chore. Think like a marketer, operate the program like a professional and use innovative ideas to keep your audience motivated and engaged. By adopting these best practices, organizations can boost employee participation in training programs while ensuring the methods are engaging, relevant and backed by leadership.