How gamification can transform cybersecurity training
The global coronavirus health crisis has seen many adopt a more rigorous hygiene routine in their lives. Unfortunately, cyber hygiene practices inside businesses of all sizes still desperately need improving. Everything from secure passwords to security patches on systems have room for improvement in a world where remote workers are now using their own devices.
The Wall Street Journal reported that the Coronavirus cybersecurity fallout might not be felt for months. Many believe that we need a new approach to data security and embed a more proactive mindset. But there is also an argument that the road ahead is much more complicated than that.
A survey by Webroot revealed that although 80% of employees claim they know how to discern between a phishing email and a legitimate message. But 49% admitted they had clicked on a link from an unknown sender at work. These results highlight how no one sets out to be reactive and how they often believe they are actually taking a proactive stance.
Now that human error represents the biggest cybersecurity risk in organizations, maybe it's time to admit that employees deserve more than an animated video and newsletter every few months.
Upgrading the dreaded mandatory training session
The dull world of mandatory corporate e-learning often involves mindlessly clicking next during awareness sessions on bribery, corruption, GDPR, and cybersecurity. Although they enable HR departments to tick the boxes on their list of regulatory requirements, the reality is they don't work. Gamification can help solve this problem by introducing gaming elements into the corporate learning experience.
Gamification already surrounds us. Online platforms such as LinkedIn, Trip Advisor, Reddit, Github, and even the Apple Watch all leverage gamification to encourage and engage its consumers and subscribers. By taking game mechanics and applying them to business objectives, it becomes much easier to engage users in solving problems and motivating them by introducing competition and rewards.
Gamification expert Karl Kapp believes that this method is best used in objectives that require reinforcement over time and ensure the information is always in the mind of employees. These are just a few reasons why gamification is perfectly positioned to offer an engaging alternative to cybersecurity awareness sessions.
How businesses are using gamification for cybersecurity training
Everybody reading this will know somebody that clicked on an infected link, attachment, or accidentally installed malware onto a corporate device. Phishing remains an increasing concern for every organization and proves employees need something more than an annual security training session that results in death by PowerPoint.
Stay at home mandates and social distancing rules have made it easier for scammers to target people working from home with dangerous phishing attacks. PwC's Game of Threats™ uniquely provides employees with the chance to play the role of both attackers and defenders. Working against the clock and with limited resources, they are challenged to beat their opponents while also teaching them more about emerging cyber threats.
Hoxhunt takes this approach a step further with software that combines machine learning with gamification to deliver personalized cybersecurity training. The training and response solution sends automated simulated phishing attacks to every employee. Staff are encouraged to report any suspicious-looking emails using the platform's plugin. If a user falls for one of the simulated messages, they are made aware of where they went wrong and are provided with actionable tips to avoid making the mistake again.
Timely interventions during their working day are helping remote workers change their behaviours when evaluating emails. The gamified element enables businesses to reward employees with points for successfully reporting phishing emails. Departments can then reward top-performing teams and individuals but also highlight where additional training or intervention is required.
What about your technical employees?
Teams of developers, engineers, and InfoSec professionals will require something more stimulating, competitive, and engaging. Many businesses are choosing to host their own capture-the-flag (CTF) events which contain objectively measurable exercises and help their teams hone their security skills.
Techies are tasked with solving challenges that all require different skill sets. The interactive attack and defend competition format requires teams to identify flaws and patch accordingly without breaking the service's functionality. But they must also use the same knowledge to attack the other team.
CTF events enable security professionals to play the role of attacker and defender in real-world scenarios across target machines. The winning team is the one that has solved the most challenges and achieved the highest score.
A new approach to cybersecurity to protect your organization
Every organization is tasked with increasing awareness around cybersecurity and changing user security behaviours. Addressing this challenge requires the engagement of every employee, regardless of skill level through dynamic, effective, and engaging content. But this requires more than PowerPoint presentations and mandatory annual courses that are nothing more than a regulatory box-ticking exercise.
Experts agree that traditional security training doesn't work and that untrained employees are the biggest risk to businesses. The gamification of your awareness program can help you create an opportunity to upskill your staff. But also help them defend themselves and your company from cyber threats.
Security strategies need to unite departments and approached with a mindset outside of IT security teams to obtain business engagement. To transform your cybersecurity training, you need to bring all employees and every aspect of your business along for the ride. The best way to finally align risk management and cybersecurity is to make it fun, engaging, and competitive for everyone.
A proactive, rather than reactive approach to cybersecurity doesn't have to be a pipe dream. You need a different approach. So, what are you waiting for?