People are the best defence when it comes to cybersecurity – but they can also be the biggest threats too. Mark Stevens, Senior Vice President of Global Services at Digital Guardian, looks at a new strategy companies can use to ensure their employees engage with prevention policies.
Currently companies spend almost US$100bn on cybersecurity, with the bulk going on technology infrastructure to defend against external threats. Unfortunately, the biggest security vulnerabilities are hiding in plain sight. Even with today’s technological advancements and automation on the rise, the core of any company is its people, and unfortunately, they present one of the biggest threats to an organisation’s security posture.
What’s the answer? Stealing a phrase from a well-known speech from the then Prime Minister-in-waiting, Tony Blair, it’s ‘education, education, education’. In the case of the enterprise this manifests itself as training or L&D (learning and development).
This in itself presents a challenge. Classroom-based training can be viewed as monotonous, boring and ineffective. In other words, learn once and instantly forget the moment the course is over. While there’s no doubt that classroom-based training does have a place within the corporate learning environment, when it comes to addressing today’s persistent and high-risk cybersecurity risks there are alternative learning options worth considering.
Remember those times you were hooked on Candy Crush, got aching thumbs from playing Mario Kart too long or simply had fun stacking Tetris blocks. The sense of accomplishment, competition and rewards makes gaming fun. And this idea is now becoming widely adopted in L&D departments around the world.
Gamification is the process of applying gaming designs and concepts to learning or training scenarios in order to make them more engaging and entertaining for the learner. In game-based learning events, learners compete directly against one or more individuals or participate individually in an interactive experience that rewards learning performance in some way. Today, car insurance companies use gamification to stop speeding. Big brands offer customer rewards to increase sales. Even health services use gamification to encourage healthy eating.
Gamification features, such as levels, leader boards and experience points (XP), add extra layers of fun into the training. Other examples of gamification in action include prompts or popups that inform users they may be about to violate a company security policy, as well as a digital point-and-reward system to incentivise good data security behaviour. All these tools let learners track their progress, collect rewards and compete with colleagues.
By turning cybersecurity into a game, and integrating this game into the working day, employees should become more engaged and security-conscious. In turn, this should reduce the likelihood of a breach caused by human error.
If you’re still yet to be convinced, here are three key reasons to give gamification a try:
- It shines a light on the importance of data protection
Workers are time-poor and as they go about their day-to-day duties, data protection and security are unlikely to be front of mind. With gamification in play a user would receive an on-screen prompt if they were about to break a data-security policy. Furthermore, if combined with the right DLP (data loss prevention) software, it would prevent them from actually doing so. The real benefit of this approach is that teaches employees how to handle data correctly ‘on the job’.
- It rewards good behaviour
Gamification incentivises and rewards employees through badges, leaderboards and even physical gift cards. For example, users could receive e-badges upon sending their first, tenth and hundredth email without triggering a data security alert. This reinforces continued positive behaviour.
Once an employee has built up a digital badge collection, rewards such as gift cards or company perks can be given. By rewarding good behaviour instead of punishing bad behaviour, employees will become more motivated to continue abiding by security rules, even when they’re focused on other critical targets and goals.
Employees should be encouraged to print and display their badges in their workspaces, and managers should also be encouraged to recognise good behaviour by publishing monthly leader boards. These steps will motivate employees to take part in the programme, because they know they will be recognised for their achievements.
- It’s easily measurable
Of course, as with any investment, executives will want to see a tangible ROI on the gamification. It is, therefore, essential, that IT teams measure the effectiveness of gamification in reducing real data risk. IT teams should conduct regular audits and cybersecurity assessments within the organisation, to determine which employees would still pose a risk outside of the gaming environment.
In conclusion
In today’s fast-paced world where the risk of falling victim to the worst that cybercriminals can do is a probability, gamification can be a fun way to reinforce the importance of being cyberaware. Not only does it positively reinforcing positive cybersecurity habits it reduces training time by encouraging employees to learn as they go, developing good behaviour in practice. Most important of all, it could mean the difference between your organisation being a victim of an attack or dodging a cyberbullet.
Click below to share this article
