Cyber Security Training; Messaging to the right audience matters.

The average downtime due to a cyber attack has increased from 15 days to 22 days. Across the industry, these unplanned downtime costs approximately $300,000/Hr. on average. Cyber Incidents are the highest business risk called out by the Allianz group in their annual Risk Barometer Report. Preventing a cyber attack or responding to it in a timely manner is the top IT priority for organizations across the world. According to Verizon Data Breach Investigations report (2021), 85% of data breaches had a "human element" and 61% involves credentials. A low security awareness among employees is the top barrier for organizations from establishing effective cyber defenses. From a financial impact standpoint, the overall cost of cybercrime globally is over $1Trillion, a 50% increase over the past two years. Are these survivable numbers for your business ?

Yet, we tend to take a cookie-cutter approach to Cyber Security training in our organizations. We work with HR on our annual cyber training, address the do's and don'ts during employee onboarding, send emails to call out mistakes and put up posters during Cyber Security Awareness month in October. We follow this up with a Phishing Test and take pride when our stats show improvement. But is it effective??Will the training last ? Test it out and you can see the farther away you are from training, the stats are NOT in your favor. Here are some interesting facts. After 1hr, we retain less than half of the information presented. After 6 days, 75% is lost and whatever information left in our memories continue to fade at a much faster rate if not recalled again. Given the stats listed above, is that enough? Are we doing justice to our #1 business risk?

We need to message Cyber security awareness in three(3) distinct "languages" and to three (3) "tailored" audiences. Let's dive in.

1) The "Why" and "How" to everyone. This message is for everyone and it should be simple, consistent and repeating. A consistent, repeating message is proven to "stick" with audiences vs. a message that is complex and constantly changing. Elections are won using this method. Regardless of when or where the audience hears our message, it should be the same and reinforcing, every time. The audience must be aware that they are stakeholders and we need to ensure that they buy-in to our convincing arguments. For this to happen, the discussion needs to be interesting and captivating, with reality sprinkled "war stories". You don't have to go too far for these stories; check with your IR teams for a few good ones. In almost all cases, addressing the "WHY" in a message is more important than the message itself. Our employees will buy-in when they understand their stake in the game.

2) Time and Cost impact discussion with the Services and Supplier Teams. The target audience here are the application developers, Tier 1 services teams, as well as supply chain partners that support the organization. They become stakeholders when you relate the Time and Cost impact of a security incident to the organization and to the partner's symbiotic relationship. Above and beyond the technical aspects, they need to better understand the revenue impact to the organization in the event of a security incident. Getting their buy in and allowing them to be stakeholders is more effective than the traditional "it's our corporate mandate" approach. The Partners and Suppliers to our organization requires a more targeted security awareness strategy since they are not directly impacted by the corporate Policies, Standards and controls governing the employees. Our efforts to extend training to our supply chain partners will be beneficial to organizations that do not have their own training programs and can significantly reduce impact to our business due to a supply chain disruption. We could engage external support from partners like Center for Global enterprise and their DSCI program, to baseline effective and global standards for our supply chain partners.

3) Business Risks conversation with Corporate leadership teams. The audience here are the leaders in our organization that have P&L responsibilities. The Senior Leadership teams require a less technical, more business risk conversation. They understand the consequences of unintended downtime, revenue loss and financial impact. Once convinced, they can be the biggest cheer leaders and help with top-down messaging that highlights the need for security best practices across the organization. Discussions need to address the impact Cyber related risk has to their current business processes and ownership lanes, which in turn drives Cyber Risk as one of their top priorities during business continuity and resiliency conversations. In a global organization, these discussions will further help us align with regional and local compliance standards and thus reduce the financial risk to the organization.

That brings us to the "how often should we message" question. According to an article by FraudWatch, employees are able to retain their cyber training for up to 4 months. Facts show that a consistent and continuous Security awareness training can reduce the risk of a debilitating cyber attack by 70%.?With that much of an ROI, we need to ensure cyber awareness training is more than an annual compliance checkmark. Training needs to be on a scheduled cadence, with a consistent message. For training to stick and have its expected long-term effectiveness, our messaging needs to contain story telling, emotions, imagery and be logical in nature. For global organizations, messaging should contain regionally applicable facts to ensure the audience can relate and absorb the message. Because our users are focused on their areas of expertise and are not constantly thinking about the latest phishing and social engineering tactics, we need to consistently message cyber risk at all levels. We need to use all available mediums such as internal newsletters, websites, word of mouth and display screens, while ensuring that the message invokes a sense of ownership for the audience. Each time we message, it should be simple, consistent and addresses impact to the business function that the audience are responsible for.

In summary, 85% of the cyber security incidents happen due to a human element. Cyber security awareness could reduce the risk of a cyber attack by 70%. Messaging should be tailored for our employees,?services teams, supply chain partners and to our leadership teams. Without continuous reinforcement, we lose 75% of what we learned within a week. For training to have the intended effect, we should be consistent, reinforcing and engaging. Employees are an integral part of securing our organizations. Let ensure they have the knowledge and skillset to protect our house.