Call now for cybersecurity help: 888-646-1616
Holly Sagstetter

To Shame or Not To Shame: Addressing Cybersecurity Training Fails

October 27, 2021

You already know that security training is important. You can have all the technical safeguards implemented, but they can’t protect against every cyberattack. So, the best course of action is to have a robust training program for you and your employees.

We recommend cybersecurity training programs that include the following:

  • Monthly cybersecurity training about topics like ransomware, password habits, phishing, online safety
  • Quarterly phishing simulation campaigns that test your phishing-spotting skills

So let’s say your training program is underway. And you have your first set of training results.

Let’s say you have 12 employees, and the results look something like this:

  • 4 employees had scores of 100% in the monthly training and didn’t click any links in the phishing simulation 
  • 3 employees had scores of 90% in the monthly training and didn’t click any links in the phishing simulation 
  • 3 employees had scores of 100% in the monthly training but clicked the link in the phishing simulation
  • 2 employees had scores of 60% in the monthly training and clicked the link in the phishing simulation

How do you handle Cybersecurity Training results?

First, let’s talk about what NOT to do:

  • DO NOT just send around the results to all users in the organization. Sure, the people who did well might feel good, but the people who performed poorly will not.
  • DO NOT ignore the results. This is your chance to improve morale and future training sessions.
  • DO NOT make a Wall of Shame for those who performed poorly.
  • DO NOT administer any type of discipline (i.e. verbal or written warnings) - some companies do this, and it works for them, but overall we don’t recommend it

So, to sum up, don’t shame people, but don’t ignore the results either.

Ok, so what should you do with cybersecurity training results?

Recognize employees who do well

For employees who do well with the monthly cybersecurity training and phishing simulations - you need to recognize and encourage them.

By far, the most effective way is to make their performance part of the calculation of year-end bonuses and/or raises. This leaves no doubt in people's minds that it's an important priority, but personally and at the company level.

Let them know verbally or via email that they did well with the training and thank them for their efforts. A smallish $20 gift card would be a delightful addition as well! Remember that positive reinforcement is powerful. 

Now for the hard part - addressing the employees who performed poorly.

Address poor performers

Cybersecurity training encourage

Looking at the results above, if someone has high scores in the monthly training, but performed poorly in the phishing simulation, it might be best to have a quick conversation. 

“That last phishing simulation was tough, wasn’t it? What did you think?”

And see what they say. Here’s where it might be helpful to point out any red flags that you noticed in the phishing simulation.

And finally, what about employees who perform poorly in monthly training and phishing simulations?

Take action with your poorest performers

Cybersecurity training take action

There are a few ways you could address your poorest performers:

Make sure that people who perform poorly know that someone very senior in the company is seeing it.

The CEO calling a person to say "hey, what's up with your training results." Is going to be most effective. As you work your way down the seniority line (CXO → Director → Manager), it gets less effective. Having general functions like HR, compliance, or legal do it is better than nothing, but certainly doesn't reinforce the "this is critical to the company."

Some companies bring together people who do poorly for additional cybersecurity training. Rather than being generic training like most monthly videos are, this is more targeted to the people and their job functions. It can be offered as a stick ("you did so poorly you need more training") or a gentler approach ("we're having a group meeting to figure out why some people are struggling to get this wrong."). 

An important consideration is the job function of the people who are doing poorly. A financial advisor on an iPad is less worrying than the CFO on a Windows computer. Larger companies would actually consider changing someone's job duties or access to systems if they keep getting things wrong, but that approach won’t work for every company.

Conclusion

Cybersecurity training is important. But how you address the training can impact how your employees perform in the future. If employees fear getting in trouble, they may get flustered and react poorly by clicking on an actual phishing email link! 

Recognize your top performers and encourage your poor performers. Work with them to improve by starting a conversation and providing additional training if needed. Your employees are your last line of defense when it comes to phishing emails and other cyberattacks. 

If you need help with employee security training, we can help! We work with firms in highly-regulated industries like financial services, healthcare and government contracting. Contact us for more information. 

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright 2021 Adelia Associates, LLC | All Rights Reserved | Sitemap