Following another year of high-profile, high-cost cyber breaches, it’s clear that employees are often the weakest link in the fight against cybercriminals. While there are some disgruntled employees who take malicious action, most of the time cybercriminals were able to gain access to a company’s systems and networks through innocent mistakes or by targeting certain employees because of their access to sensitive information.
Either way, employee actions can open the door to malware or information theft. And, with the government’s mandatory data breach notification scheme (Notifiable Data Breaches scheme) coming into effect on 22 February 2018, it’s time for businesses to make sure they’re on the winning side of the war against cybercrime.
One of the key issues making it harder for companies to combat cybercrime is a focus on reacting to attacks and on pure compliance-driven approaches. Companies need to put themselves ahead of emerging threats by detecting and preventing them rather than cleaning up after them.
They should move away from a focus on compliance because it doesn’t work. It’s not interesting or personal enough to capture employees’ imaginations, so they don’t internalise the messages about keeping the organisation and its data secure.
Gamification can be an excellent tool in a business’s quest to educate employees to improve security-oriented practices.
Gamification uses gaming mechanics in a non-gaming context, leveraging what’s exciting about games and applying it to less-fun activities. Designed with elements of competition and rewards, gamification programs are suitable for a wide range of education programs in any industry.
There are two ways business leaders can use gamification to address cybersecurity in their organisations:
-
Make training more exciting and fun
For example, global consulting firm, PwC, teaches cybersecurity through its game, Game of Threats. Executives compete against each other in real-world cybersecurity situations, playing as either attackers or defenders.
Attackers choose the tactics, methods and skills of attack, while defenders develop defence strategies, needing to choose to invest in the right technologies and talent to respond to the attack.
The game gives executives an understanding of how to prepare and react to threats, how well prepared the company is, and what their cybersecurity teams face each day.
This kind of process makes training more relatable and engaging, increasing employee awareness of cybersecurity practices, including how to deal with attacks correctly.
-
Offer incentives and rewards
When security isn’t highlighted as a key goal for the organisation, rushed and stressed employees may neglect basic security practices in favour of just getting the job done quickly. To overcome this, the business needs to embed a culture of security.
Gamification is a fast way to condition employees’ reactions. It lets businesses reward employees who follow security procedures and adhere to security guidelines. This encourages them and their colleagues to demonstrate similar behaviour in the future.
Taking this process a step further, the business can publicly reward the employee by displaying their score on a scoreboard that the office can follow. In some organisations, after employees reach certain milestones, they receive material incentives such as a gift voucher.
This process can also help identify employees who aren’t following security guidelines effectively and may need further training and encouragement to embrace the new security-conscious culture.
Recognising and rewarding employees when they do the right thing leads to continued positive behaviour, motivating employees to undertake safe practices and resulting in a more cybersecure working environment.
By ingraining cybersecurity practices within organisational culture, introducing new ways of training, limiting access to only those with authority, and educating employees to practise safe and secure behaviour online, the cyber risk for businesses can be greatly reduced.