Awareness training is key to reducing security riskBy Charles CooperHuman error continues to confound the best efforts of security executives. No matter how much money gets spent on firewalls, intrusion detection software and other cybersecurity tools, it\u2019s all going to be for naught if employees ignore security protocols and click on dodgy email links.In theory, this ought to be easy to fix. But there are no shortcuts.Rome Wasn\u2019t Built in a Day EitherAn edict out of the IT department won\u2019t get the job done. Building a security culture takes time and effort.\u00a0\u00a0What\u2019s more, cybersecurity awareness training ought to be a regular occurrence \u00ad\u2014 once a quarter at a minimum \u00ad\u2014 where it\u2019s an ongoing conversation with employees. One-and-done won\u2019t suffice. People have short memories so repetition is altogether appropriate when it comes to a topic that\u2019s so strategic to the organization.This also needs to be part of a broader top-down effort starting with senior management. Awareness training should be incorporated across all organizations and not just limited to governance, threat detection and incident response plans.The campaign should involve more than serving up a dry set of rules, divorced from the broader business reality. If done the right way, employees will come away with a keen understanding how their cyber behavior can impact the overall business.According to the Global Cyber Security Capacity Centre, this hinges on the organization\u2019s ability to influence attitudes as well as intentions. Unlike training, where employees are quizzed on their knowledge of instructions, the focus of awareness training should be on changing behavior.In terms of making this happen, organizations should make clear to everyone on staff that cybersecurity adherence isn\u2019t optional any longer. It\u2019s strategic.The reality is that bad habits linger, so don\u2019t assume that employees are going to automatically change their behavior after watching a video or two about cybersecurity. Building an awareness program must include a mix of tactics with the goal of fostering a security-conscious environment.\u00a0It also doesn\u2019t hurt to throw in a few incentives to make sure the message gets through.Monitor users and compile cyber risk scores based on employee understanding of security practices and actual performance. Linking job appraisals to an employee\u2019s proficiency in cybersecurity awareness will make mastery of cyber safety a matter of self-interest.If someone fails their cybersecurity tests repeatedly, both the employee\u2019s manager and human resources should be notified. In Riverside, Calif., for example, the city now makes awareness training mandatory. It also locks employees out of the city\u2019s network if they fail to take and complete the one-to two-hour course within the designated period. Some organizations also stage fake phishing attacks to test their employees. Any employees who get duped into clicking on fake email links should be required to undergo a refresher course.The curriculum should extend beyond the obvious risks posed by phishing, authentication and passwords to also foster greater employee understanding about physical security and data loss prevention.It\u2019s 2017 and there\u2019s simply no forgiving easy-to-guess passwords like \u201cpassword\u201d or \u201c1234\u201d anymore.\u00a0\u00a0Use imaginative and interactive ways to get employees interested in the topic. Also, festoon the corridors with posters and tips to drive home the message. Follow up with regular emails. Offer rewards or acknowledgments to employees who consistently pass mock phishing tests or spot real attempts.\u00a0\u00a0With cybercriminals doubling-down on their skills, it\u2019s never been more important to get employees to understand the fundamental risks that cyberattacks pose to their organizations. Any progress organizations make on this front will pay major dividends.Charles Cooper has covered technology and business for the past three decades. All opinions expressed are his own. AT&T has sponsored this blog post.Stay tune for the new Cybersecurity Insights Report Vol 6, Mind the Gap: Cybersecurity\u2019s Big Disconnect available on\u00a0October 30, 2017. Meanwhile, catch up on\u00a0past reports, vol. 1-5\u00a0to learn what you can do to help strengthen your defenses across your business.