Your people are not computers – you can’t program them to avoid 100% of phishing attacks any more than you can program them to eat healthy 100% of the time. That’s the bad news. And it’s not really news to you, is it?
But I’ve also got some good news: people can change their behavior. Which, when done effectively, can be even more effective than programming.
To expand on what I wrote about earlier, I’m interested in the ways to change people’s behavior (I’m sure I’m not the first to want such answers).
It all starts with motivation—the drive to engage in a behavior – whether that behavior is thinking before opening an email or the refrigerator. So for our field, how specifically do you motivate your employees to change their behavior around phishing?
Here are five powerful strategies that are important in making that happen:
- Embrace the power of failure.
NOTHING changes behavior like failure. It’s how we’re programmed. When you find out you’ve failed at something, you want to know why so you don’t fail again. It’s the “golden moment” – when you’re most receptive to instruction and changing your behavior. And get this: you can give people opportunities to fail and learn without those failures affecting your business. Kinda perfect, right?
- Embrace brevity.
Whether in person or on screen, you’re facing an audience with an incredibly short and fractured attention span. You have a handful of seconds to get a reader’s attention; mere minutes before they start tuning out. Advertisers understand this. It’s why commercial spots are now 5 -15 seconds long. Even sitting through a 30 second ad is too much to ask! So think more Super Bowl commercial than training course – keep your training videos short and engaging.
- Treat your employees like adults.
Yes, it’s hard, but worth it. So avoid the temptation to gear training for the absolute lowest common denominator: don’t use overly cute, scary or shaming tactics. Steer clear of jargon, shoot straight and treat your employees like colleagues. If your training demonstrates that you respect your employees’ intelligence, you’re more likely to earn their attention and respect.
- Be ready to take corrective action.
Remember: for any type of behavior modification to work, consequences must follow actions –the sooner, the better. Ask yourself: how do you want to handle initial and repeat offenders? How will you make penalties proportional to the risk they present? Don’t wait until you have repeat offenders to figure it out. Work beforehand to establish consequences for employees who do not respond appropriately to the training.
- Pick your battles.
Part of treating your employees like adults is remembering that, like you, they have day jobs, personal lives, and long to-do lists, so there’s a limit to how much mindshare can be focused on security (and don’t forget the short attention spans I mentioned in #2.) Instead of trying to cover all areas of security (boiling the ocean), focus on changing behaviors in the highest areas of risk, like phishing. And because even phishing is a now wide-ranging area, I suggest using a laser focus –not a scattershot approach –to target your training efforts on the specific types of attacks that affect your employees. How can you miss with that?
Want to learn more about how to choose a training program that motivates your employees to change their behavior, and enhances your security posture in the process? Download our Security Awareness Trianing Buyer's Guide.