one’s surprise, end users continue to be the favorite target of cybercriminals. Verizon’s 2017 Data Breach Digest, the companion to its annual data breaches report, states that of the data-loss incidents studied, 90% involved phishing or the social engineering of end users. A July 2018 Cybersecurity Insiders report (PDF) concluded, once again, that more than 90% of the participating organizations felt vulnerable to insider malicious behavior or inadvertent errors by end users.
Some experts suggest attitude is a big reason why end users are targeted. “Some IT pros will say that training end users is a waste of time, as they [end users] will click through the training but not heed the warnings,” writes CompTIA product manager Stephen Schneiter, in his CompTIA.org article We Are All End Users: Cybersecurity Training as a Life Skill. “That end users are of the mindset that network security is someone else’s responsibility or that if antivirus software is running, they are protected, or that really, there is nothing of importance on my computer.”
Try a new approach to cybersecurity training
More about cybersecurity
Why gamification might be the answer
Engaging end users is especially of interest to Mark Stevens, senior vice-president of global services at Digital Guardian. “In addition to using traditional training methods, businesses are increasingly looking for other more immersive solutions,” writes Stevens in his SiliconRepublic article 6 top tips to make cybersecurity training more fun. “This is where gamification can play a role.”
“Gamification is the process of engaging people and changing behaviour using game mechanics in a non-game context. Essentially, it’s taking what’s fun about games and applying it to situations that aren’t much fun—like how to block the next hacker from infiltrating a company’s network.”
Software-Defined Data Center – Get The Most Out of Today’s Infrastructure
Running a data center today, no matter the business, is an exercise in managing and overcoming complexity. In this report, we’ll look at how a strong foundation in both the cloud and internal data centers is empowering organizations to not only get…
White Papers provided by IBM
To make his point, Stevens’ offers the following reasons why gamification is a good idea.
1. Recognize positive cybersecurity behavior. Stevens is well aware that employees must be considered when determining what factors could affect a company’s cybersecurity posture. By using gamification, he suggests, employees can be rewarded when they abide by the rules, which in turn encourages good behavior.
2. Talk about data protection. Gamification, according to Stevens, will inspire open dialogue among employees when discussing how to properly handle sensitive data—important now that the General Data Protection Regulation (GDPR) is in place. Stevens adds, “Instead of the topic being boring or rogue, workers hopefully will talk about their achievements, challenges, or lessons learned.”
3. Increase the frequency of cybersecurity training. To be effective any training—in particular cybersecurity training—needs to occur on a regular basis. The fact that gamification can be automated is a huge plus, because it allows employees to work on their skills without interfering with normal business operations.
4. Engage employees. Friendly competition is one reason gaming is so popular. “Through friendly leader board competitions, end users are instantly engaged in the game—or training—at hand,” suggests Stevens. “This increases internal communication and creates new relationships, improving employee engagement across the board.”
5. Find cybersecurity talent. Gamification is already helping increase interest in cybersecurity. “Organisations such as Cyber Security Challenge have been trying to tackle the talent gap by hosting yearly competitions,” writes Stevens. “Winners are then offered lucrative job opportunities at large tech firms and government agencies who sponsor the challenges.”
6. Audit to measure effectiveness. Gamification becomes nothing but additional work and expense if it is not effective. Stevens feels that businesses should conduct cybersecurity audits on a regular basis to determine if security is improving.
How to convince managers about gamification for cybersecurity training
Ask any cybersecurity professional about the difficulty in getting funds for a project, and the person will likely have a story or two to tell. CompTIA’s Schneiter has an interesting idea that might help convince company management to invest in gamification:
“Professional development is something that organizations should be promoting with cybersecurity training. Everyone wants to gain more skills and succeed in their career, and cyber-training could be blended into a continuous training program.”
What about remote workers and cybersecurity?
Many sophisticated data breaches have started out by subverting an employee working from home or remotely. At-home or remote employees willing to apply security skills learned using gamification training can help eliminate a popular attack vector used by cybercriminals.
IF YOUR COMPANY HAS SOME ISSUE ABOUT CYBER SECURITY CALL US AND ONE OF OUR TECHNICAL VISIT YOUR COMPANY FOR A FREE CONSULT