Security Awareness Training: Why ‘Us vs Them’ Is a Lose-Lose Situation

Good idea: Applying gamification techniques to your security awareness training program. This type of lighthearted, healthy competition between departments can help engage participants and leave employees feeling empowered and rewarded.

Bad idea:  Approaching your security awareness training program with a ‘you vs. the end users’ mentality. This mindset can breed resentment and distrust — on both sides — and undermine your efforts to build a more secure culture.

Getting on the Same Side of Cybersecurity Education

Given today’s increasingly challenging business atmosphere, it’s natural that infosec teams want to do as much as they can to control their own destinies. And we certainly understand the frustrations of dealing with the ramifications of end-user mistakes; the devices aren’t yours…the email addresses aren’t yours…but the responsibilities for remediation fall to you and the members of your infosec team when issues like successful phishing attacks, credential compromise, and malware and ransomware infections happen.

Tempting though it may be, letting those frustrations manifest into an “IT vs. end users” approach to cybersecurity doesn’t solve your problems. In fact, it compounds them. End users are made to feel stupid — even though they are often highly skilled and very capable of doing the jobs they were hired to do. When employees are treated as a security liability, rather than a potential security asset, they begin to resent even simple safeguards they are asked to employ, feeling that no matter what they do, it doesn’t matter. It’s a recipe for apathy at best, and an environment that breeds deliberate security infractions at worst.

Seeking more advice about how to deal with risky end-user behaviors? Hear what a panel of cybersecurity experts have to say about handling ongoing issues and implementing escalation paths.

So, if you’ve strayed into this mindset (or you are battling that mentality within your staff), how can you reset? Realistically, behavior change doesn’t happen immediately; it’s a process. Sure, it’s a little “touchy feely,” but it’s really about adopting a new outlook. Here are some tips for you and your team:

• Put yourself in your users’ shoes. IT security is not their forte. The threat landscape shifts rapidly, so expecting non-IT employees to keep up and be perfect is not only unrealistic, it’s unfair.
• Accept that your users can be taught new tricks. In your career, you’ve learned a lot of new things. So have the other employees in your organization. Many cybersecurity best practices aren’t rocket science, but they also aren’t innate. Learning won’t happen through osmosis, but it can happen through opportunity.
• Recognize that it takes time. Talking at your users once or twice a year and sending a few emails is not the recipe for an effective security awareness and training program. You did not learn about phishing prevention, mobile device security, password management techniques, and other best practices in a few minutes a few times a year. Allow your users the same courtesy of learning and improving over time.
• Allow for — and accept — that mistakes will happen. Spam filters don’t catch everything. Anti-virus software is never totally out in front of threats. Software patches aren’t always applied in time. Users won’t catch every phishing email or avoid every dangerous site. 0% vulnerability is unachievable on all fronts, so stop chasing zero and start focusing on risk reduction rather than risk elimination.   

Bottom line: The only “us vs. them” mindset when it comes to cybersecurity should be “your organization vs. the attackers who would do you harm.” Put your end users in your corner, and help them gain the skills they need to make your security stronger. You are in this together, so do it together.