By Sean Brady, Mimecast VP of Product Management
In addition to email, collaboration tools are now a focal point of the cyber threat landscape. While email-borne attacks remain the primary vector exploited by threat actors today, collaboration channels like Microsoft Teams and Slack have emerged as critical vulnerabilities of the cloud-based hybrid enterprise. Best-in-class products are undoubtedly important to a strong security posture, but cybersecurity is still a human issue at its core — more than 90% of security breaches involve some degree of human error.
The need for organizations to fortify their human firewall has never been more prevalent. That said, the security benefits of robust and ongoing user awareness training programs are evident: employees who receive continuous user awareness training are five times more likely to identify and avoid malicious phishing links. However, it’s easy for these training programs to fall flat, especially when they fail to align with the evolving threat actor tactics, techniques, and procedures.
According to Mimecast’s independently commissioned Collaboration Security: Risks and Realities of the Modern Work Surface Report, most security leaders (74%) believe their organization is equipped to defend against a collaboration tool-based attack, and 80% feel they have effectively communicated the security vulnerabilities of collaboration tools to their employees. But on the contrary, only 38% of employees claim they have received any collaboration tools security training, and a mere 10% say they have received dedicated collaboration tools security training separate from the wider cybersecurity training offered by their organization. The findings highlight a clear disconnect between organizational leaders and their employees, underscoring the importance of implementing more targeted awareness training programs for collaboration tool security.
Keys to Effective User Awareness Training
Effective user awareness training helps foster company-wide buy-in, creating an organizational culture where everybody plays a role in protecting the organization from cyber threats. The end goal is to simplify security for employees by guiding them on how to implement best practices that minimize cyber risk, whether it’s for social engineering prevention, brand spoofing identification, password protection, or data hygiene. It’s not to belittle them or make them feel as if they are the root cause of every successful data breach. That will only further exacerbate the problem at hand.
It’s important to remember that awareness training isn’t one-size-fits-all – it must be scaled to the intricacies of the organization’s unique security environment. For example, healthcare organizations that adhere to HIPAA data privacy regulations should structure their training around HIPAA compliance standards, which encompass different sets of protocols than organizations in other industries. Regardless of company size or sector, if the training content isn’t aligned with employees’ day-to-day roles and responsibilities, there’s far less likelihood it will resonate with them.
Also remember that when implemented correctly, awareness training is a marathon and not a sprint. It isn’t enough to simply require cybersecurity training during onboarding. Considering cyber threats are constantly evolving, training should be continuous and regularly updated to align with shifts across the cyber threat landscape – like the rise of collaboration tool attacks. Organizations that fail to refresh their trainings year-to-year are not accounting for the cyberattacks they face today. It’s critical to ensure employees are up to date on the latest risks and preventative measures.
Monitor training program pass rates and participation to measure its efficacy. Are you seeing higher pass rates over extended periods of time? Are employees completing training within the preferred deadline, or do they need to be constantly reminded? Keeping tabs on these metrics can give security teams insight into whether there’s a culture lacking in participation, and if so, how they can change that with the training. Understanding the results also gives your organization the opportunity to provide more training to the employees who need it.
The Personalization Effect
Personalization is worth its weight in gold when it comes to awareness training. Organizations should create interactive and engaging training materials that align with the interests and learning styles of Millennial and Gen Z employees. Utilizing personalization, as well as a variety of formats like videos, quizzes, and simulations, helps appeal to a wider audience and increases the chances of it sticking. That could come in the form of comedy, sports, or pop culture references. Promote active learning by including interactive elements in your training program and incorporating hands-on exercises, case studies, and real-world examples to encourage employees to apply their knowledge.
Customize the training content to address the specific responsibilities and risks associated with different job positions within your organization. For example, training courses for an HR admin should be different from the courses an accountant completes, considering both employees likely leverage collaboration tools in varying capacities and workflows. In turn, it should be tailored to relevant examples and scenarios that reflect day-to-day tasks so that employees don’t feel like it’s wasting their time.
With hybrid work environments seemingly here to stay, the volume and velocity of collaboration tool attacks will only continue to rise moving forward. It’s imperative for companies to position their employees to navigate these new forms of cyber threats. By implementing collaboration tool user awareness training at scale, they can make measurable progress toward enhancing security posture throughout every layer of the organization.
