Flat-pack furniture. These words can either spark excitement or rage depending on who is reading this, and their level of flat-pack experience. Flat-pack purchases are cheaper and quicker than their fully-constructed counterparts, enabling anyone with a screwdriver and a drill a means of mastering basic carpentry in an afternoon. However, as we all know, success in assembly is almost entirely down to the quality of the instructions included. What many novices find is that, once the flat-pack contents are spread out across the living room floor and the instruction book has been read 30+ times, enthusiasm turns to despair. They then resort to either pushing the unassembled flat-pack to a corner of the room where it is ignored for a few days (or weeks), or they try to call a friend/family member/paid professional to come and help. Does this sound familiar?

Cyber security may provoke a similar reaction in many employees. Without a clear set of guidance, easily interpretable instructions, and processes that support workers’ day jobs rather than frustrating them, cyber security requirements can seem as impenetrable as a flat-pack manual in twenty different languages. Like modern house furnishing, you get out of cyber security training what you put into it; flatpack furniture is like generic computer-based training courses but calling in a professional can help you get something bespoke and intrinsically more valuable. Good cyber security trainers know that cyber security is something that needs to be constructed and maintained by all users in an organisation, regardless of technical expertise or the department you work in.

Last month, Tessian Research released a report about how security cultures impact employee behaviour. In the report, they highlight the importance of security culture, and how to engage employees and make them care about the security of their company or organisation. The report points to many reasons why improved security culture in the workplace will lead to overall strengthened security and how this can be done. Taking the same approach as flat-pack furniture and building from the Tessian Research report, cyber security professionals need to find a clearer and more simplistic way to engage and upskill colleagues.

So, how do you turn cyber novices into the equivalent of flat-pack construction gurus? Here is our flat-pack manual 4-step approach to how you can begin to change the security culture of your organisation.

1. The right tool for the job

Cyber security must involve all the departments in your organisation. There is a statistic that states that while 85% of attacks involve the end user, only 3% of the security budget is spent on education and training. Do you have a dedicated security team or person? If you do, we are assuming that they also have an allocated budget. While technical tooling is important, more intentional spending needs to be done across the whole company. If only 3% of the budget is being spent on the area that poses the most risk, this needs to be reviewed. Our approach is to engage internal communications and marketing teams to help communicate the importance of cyber security with users. Using the communications channels, skills and resources of these teams means it is easier and more effective to get everyone in your organisation is on the same page with regards to security.

2. Break-it-down

Avoid using too much cyber-security jargon. One issue when working across departments and specialisations is that the language changes. As cyber security professionals we understand what a vulnerability is, what a threat actor is and what an SQL injection is, most other business professionals do not, just as we may not understand what NPS (Net Promoter Scores), EBITDA (Earnings Before Interest, Taxes and Depreciations) and BARS (Behaviourally Anchored Ratings Scale) mean. Therefore, security jargon needs to be broken down into terms that everyone can understand. Just like the most successful flat-pack manuals, the importance of security and how to maintain it needs to be expressed through language that everyone across a whole organisation can understand.

3. Measure twice, cut once

Define and measure, as well as communicate risk. Remember that your employees are starting from scratch. They did not choose to study cyber security, and the topic may very well bore them: 36% of employees in the UK and US say that security awareness training is boring (Tessian Research, 2022). Therefore, it is imperative that you give them an understandable step-by-step guide to the risks associated with poor security. Think ‘Cyber-Security for Dummies’. A clear definition of risk will allow them to understand the importance. A tried and tested measuring system will allow them to manage it on their own. And clear communication means they will know what to do and who to alert once they identify risks.

4. Try a different way

Re-consider your training approaches. Rather than always going to Computer Based Training (CBT) or generic e-Learning packages, find training that can be and is tailor-made to your organisation and its needs. Although generic packages and training courses that are computer-based are accessible, they do not allow for the nuanced interaction that can be achieved through bespoke or in-person training. Instead of ‘compliance’ based training, aim for culture change training and measure the effectiveness of your training regularly.

Principle Defence offer a wide range of security awareness training tailored to your organisation and the individual departments within it. Through this, your staff will be able to interact with us to find different ways to help them better understand cyber security and its importance.

If you would like more information on the Security Awareness Training that Principle Defence offers, please contact our principal consultant, Jim Wright jim@principledefence.com, to discuss how we can help improve the security culture in your workplace.