What Groundhog Day Can Teach Us About Security Awareness Training
Here in Southwestern Pennsylvania (with Punxsutawney a mere 80 miles up the road from our home town of Pittsburgh), Groundhog Day and its meteorological implications are big news. While many are likely to consider this tradition a bit…unconventional…Groundhog Day folklore was immortalized on film in a movie of the same name. In it, Bill Murray plays a Pittsburgh weatherman who ends up repeating Groundhog Day over and over again while trying to find the key to breaking the cycle.
I am personally a huge fan of Groundhog Day (the movie, not the event), and have been quoting it for years. No doubt many of us in the cybersecurity space can feel like we’re stuck in a never-ending cycle of phishing emails, ransomware attacks, and data breaches. Which made me wonder: Are there things that Groundhog Day can teach us about security awareness training?
But of course there are.
So, I bring you three of my (many) favorite quotes and how they relate to our attempts to break the grip of end-user risk.
“Don’t drive angry.”
At Wombat, we certainly understand the frustrations that information security managers and response teams are feeling on a day-to-day basis. We realize it can be hard not to have an “us vs. the end user” mindset when it comes to things like phishing prevention, password management, physical security, and the like. But if you approach end users like they are strictly a part of the problem and members of the “you can’t fix stupid” club…well, they will continue to be thorns in your side.
Education is not a magical fix for all that ails you — but the same can be said for technical safeguards like spam filters, blacklists, and anti-virus software. But employees who are given a chance to learn new things are bound to surprise you. It’s likely that you are regularly taught new tricks in your profession. The same is possible for your end users.
“Anything different is good.”
Well, OK, maybe not anything. But variety is, as they say, the spice of life. We embrace the concept of variety within our product portfolio because our experience (and the experience of countless other educators) has shown that sharing the same message, the same way, over and over again can lead to an apathetic response.
If your approach is predictable and stagnant, there is a good chance your users are tuning out. Consider shaking things up a bit and thinking outside the box. We’ve developed our methodology based on research-proven Learning Science Principles. As such, we recommend using a variety of security awareness training tools — like simulated phishing attacks, knowledge assessments, posters, and employee communications — and a diverse set of brief, interactive training modules (we offer more than 25) to ensure that end users are being taught core concepts in multiple ways and have the opportunity to process and “digest” the key principles related to cybersecurity hygiene.
So if you’ve been running the same presentation for years…or if you’ve been relying solely on phishing tests…or if the only way you raise awareness is to send email alerts to your users…maybe it’s time to take a different approach.
Dig into real-world simulated phishing attack data and insights from infosec professionals.
“Winter, slumbering in the open air, wears on its smiling face a dream...of spring.”
Borrowed from the Samuel Taylor Coleridge poem “Work without Hope,” this quote may seem a bit touchy-feely, but we have found that the most successful security awareness and training programs have a common thread: a belief that their efforts can change behaviors and reduce risk.
Organizations that are taking a thoughtful approach, that are engaging users up and down the org chart, and that are working to build a culture of security are seeing the best results. If you have relegated cybersecurity education to a “check the box” activity, your users are checking the box right along with you. And this can certainly cast a shadow over your efforts.
While it’s true that hope is not a strategy…neither is hopelessness. If you don’t believe in your efforts, you shouldn’t expect them to pay off. How you — and your end users — feel about cybersecurity does matter.
Here’s to finding your spring at the end of a long winter.