If employers were not paying attention to cybersecurity training before 2021, the past year has given them plenty of reasons to consider it.
Ransomware became common parlance as organization after organization suffered extensive data leaks. Perhaps the most notable such event occurred on the U.S. east coast, when a ransomware attack — believed by investigators to have been perpetrated by hacking group DarkSide — disrupted the operations of the Colonial Pipeline oil distribution system.
The main vector of the Colonial hack was one compromised username and password combination for an account that had not been in use at the time of the attack, but that nonetheless allowed hackers to gain access to the pipeline's computer network.
The account did not use multifactor authentication, a basic cybersecurity protocol, said Joseph Blount, the Colonial Pipeline president and CEO, while testifying before a Senate committee.
Cybercrime's repercussions may be frightening, but one school of thought posits that fear is not the most effective way to educate employees about prevention, according to executives at training software company Hook Security. In an interview with HR Dive, Hook Security co-founders Adam Anderson and Zach Eikenberry, CEO, said the training market for cyber was following "a very dangerous path."
"We have found that a lot of the stuff that's out there is following old education and old patterns," Anderson said, "and what ends up happening is that we tend to try to scare people into compliance. We use shame, over-education, over-explaining, talking head videos and PowerPoints. Basically, we make it a very painful, unpleasant process to actually get the necessary training."
In the past, some employer clients of Hook Security dealt strict punishments to those who failed key training moments. One customer took to cutting bonuses and used a "three-strike, you're out rule," Anderson said, reflective of an approach that scared employees into compliance.
"What that does is it floods cortisol," Anderson said. "It's a fight-or-flight type of environment nonstop. You know what I love about marketers? It's how great they can market. I don't want them to be obsessed about cybersecurity, because that's not the thing I need."
In order to create a secure environment, employers must first create an environment in which workers feel psychologically safe, said Eikenberry.
For example, if an employee were to be on the receiving end of a phishing attempt in the form of an email, a psychologically safe environment would encourage the employee to take time to recalibrate and question the email's veracity, according to Eikenberry. Compare that to a workplace in which workers are discouraged from raising concerns about such incidents because they do not feel managers or supervisors want to be bothered.
"When you're in an environment like that, you foster all sorts of toxic behaviors that put the organization at risk, regardless of whether somebody clicks on a malicious link or not," Eikenberry said.
A different approach
Asked how employers might be able to counteract the fight-or-flight instinct that can accompany stressful security-sensitive moments, Anderson offered up a statement that may seem counterintuitive.
"The thing we say is that security is too important to be taken seriously," he said.
Humor can bring employees out of a fearful state, so it can be useful in the cybersecurity context, Anderson said. That finding drives Hook Security's work, and one may see that approach reflected in the company's social media messaging.
The company is not the first to structure workplace software via a more lighthearted approach; others have taken a similar view of topics such as employee benefits enrollment.
It is not the fact that employers put employees through phishing simulations that leads to poor results, according to Eikenberry. Rather, it is what employers do with those simulations that can negatively affect culture in the long-term.
"They might win the short game, as in scare everybody into low productivity with their email so they never answer any emails," he said. "But when the business demands of the organization increase [and employers say] no, you've got to answer your emails, you're caught in between two states that keep employees very much off-balance."
Moreover, training that speaks down to employees and is disrespectful of them also can be hurtful, Eikenberry said. "These are toxic behaviors that are ultimately not psychologically safe, nor do they provide psychological security."
That philosophy extends to the company's solutions as well. When employees fall for a phishing simulation, they might see a short skit Hook Security made in the style of Saturday Night Live with a quick punch line.
"We're not trying to make Karen in accounting a security expert," Eikenberry said. "We want her to be good at accounting. What we're trying to do is get her to pay attention to her emails. We're going to focus on one or two things that she can actually take action on."
How HR can impact cybersecurity
HR teams are in a prime position to improve organizational cybersecurity, according to Anderson.
"They own all of the information on what drives employees," he said. "They have all of the data, they have the most significant interactions maybe outside of their direct managers."
The results gleaned from cybersecurity training can benefit HR managers in their efforts to connect with leadership. Using training reports, Anderson said, HR can point to the exact experiences employees have had, how employees feel about security at the organization and the effect training has had on risk reduction.
But HR practitioners also have access to something security officers may not: the ability to speak directly with the C-suite about the problems its members can create through the examples they set.
"Even if the HR person doesn't want to hang out with the cyber person, the cyber folks need HR in order to approach the C-suite, the board, the VPs, in order to educate them on how they can lead by example," Anderson said.
That can be an especially important point because of the frequency with which cyberthreats target upper-level management.
"Do you know who exempts themselves, in our experience, from training because they're too busy and don't like being tricked? The C-suite leadership," Eikenberry said. "The people actually paying for it exempt themselves."
HR, he said, has the ability to advocate on behalf of the organization's culture and stress to leaders the importance of setting the cultural tone.
"You know you're in a healthy organization that's approaching psychological safety if everybody in the organization joins the training with equal seriousness, and there's parity to the training and nobody penalizes themselves unnecessarily," Eikenberry said.
Another essential culture task may be breaking down barriers between managers and teams that can snowball into larger risks over time. That does not mean the HR team needs to resolve all differences overnight, however.
"The trick is to do something now that has an impact, start the transformation and build off of small wins that will result in these changes," Anderson said.