By Heather Stratford, Founder, Drip7
The risks of running a small business have never been greater. During this unprecedented time of the COVID-19 pandemic, we have seen the closure of many businesses due to changes in customer needs, government mandates, and new regulations. A risk that was present before COVID-19 that has only gotten worse is the risk of a cyberattack.
Cybersecurity is not a new risk for businesses. In 2019, the FBI’s Internet Crime Complaint Center reported the highest number of complaints and the highest dollar loss since its establishment, “…an average of 1,300 breaches daily.”(1) This past year has increased the risk to organizations for three reasons. First, sending many employees home to work from their home office, kitchen table, or living room has changed the perimeter of how a company stays secure. Second, the trend of shifting data to the Cloud has increased and introduced new attack areas for criminals to infiltrate networks. Third, the growing numbers of younger employees in the workforce. Data released by the Census Bureau in 2020 revealed that Millennials and younger generations compose more than 50% of the US population.(2) There are now more Millennials working than Baby Boomers. And although, the new workforce is more technologically savvy, they are less concerned about following company protocols and privacy —not because they don’t want privacy, but often because they feel their privacy is already gone.
Cyberattacks can bring a company to the brink of closure because an attack can halt all business. They can actually shut down the processing of payments or accessing any business information. Ransomware attacks are also on the rise and ransomware attacks give small businesses a very tough decision—do we pay the ransom or not. Larger companies generally have more insurance, reserves and ways to liquidate assets or funds to recoup from losses and shutdowns. Small businesses have fewer resources and less of an ability to rebound.
Businesses of all sizes are fighting to keep their doors open and struggling with handling new security protocols. The standard definition of a small business is a company with less than 500 employees or under $7 million in revenue. Most of the businesses in the US fall into the small business category. What makes small businesses more vulnerable to cybersecurity attacks, in addition to the three points above, is that they often do not have a dedicated cybersecurity team, or their IT staff is generally small and lacking in training. Smaller companies are known to skimp on training employees, believing they can wait to become larger before implementing more complete training protocols. This is a huge mistake that may be lethal to a small business.
Phishing is still the number one attack channel for criminals to come into a business of any size. Malware can enter a company through one single computer. A report by IBM found that the average time to detect and contain a data breach is 280 days.(3) Once inside, the attacker often waits, looking at the structure, design, and the system to better understand how they can take advantage of the unique company and their assets. According to the 2020 IBM Data Breach report, “data breaches originating from cyberattacks were responsible for nearly $4.77 million in lost revenue.”(4) When you realize that just a single computer can be the entry point for an attack, the idea of training all employees proficiently becomes more important. If the employee is valuable enough to perform work within the company and contribute to the bottom line, then they are valuable enough to train.
Cybersecurity training has traditionally been seen as a compliance requirement and done in-person or through online training modules pushed to employees once per year. Behavioral science has known for more than 100 years that training done once is not effective for our complex brains which need reinforcement to remember content. Learning occurs with repetition. Complex learning occurs through an understanding of foundational information that can be built upon. Math is a perfect example of how our brain functions. Most third graders in the US spend the whole year memorizing multiplication facts. Repetition over time commits these facts to memory which in future math problems can be recalled and used in more advanced and complex ways.
Since training frequently would be difficult if the training were time-consuming, the idea of microlearning has become popular. Just like multiplication facts, small pieces of information are easier to recall. Taking information and cutting it into smaller, bite-sized areas that can be learned over time is how to create lasting knowledge for employees. As discovered by scientists years ago, 70 percent of new information is lost within 24 hours of learning without engaging in efforts to retain it.(5) Telling an employee once during onboarding is not sufficient to give the employee the context, depth of insight, and top of mind awareness that is needed. The key to successful training is short, spaced, and repeated bursts of information.
However, training has advanced forward when the idea of gamification became incorporated. Training is seen as work. It’s a “must do” not a “want to” do. By gamifying training, employers are looking to encourage employees to take more of a positive approach to training. Finances Online provides research supporting this implementation, reporting that employers have seen a 50 percent increase in employee productivity due to the transition into gamified training.(6) Gamification is the idea of adding interaction with other co-workers, individual training, and rewards. A bit of fun and levity in a world of negativity and demands. Gamification is also a way to enhance the normal routine and re-engage employees into an area that is critical and growing to epidemic stages.
Elements included in gamified training focus on rewards and give employees choices about how to complete certain tasks that are required. Games are normally played with other people. Yet traditional training was once in person in a room with peers. Now it is often isolated at a person’s desk individually taking a PowerPoint-like journey through definitions and clicks of the mouse. But there is no interaction or assessment shared or seen by others. Games create an environment of competition, focus for getting ahead and succeeding. Gamified training helps join these elements to provide more engagement and competition in the process.
Behavior change is a key topic for security teams. Gamification helps engage and bring clarity to the reasons “why” we do something, not just the “rule” of what we do. Employees who understand why they are asked to have a 10-digit password rather than a six-digit password are more likely to comply if they know the “why.” Gamification helps repeat and emphasize the information in ways that help explain the “why.” Understanding the why creates more compliance and encourages the desired behavior.
A critical look at cybersecurity training asks what to do with people who ignore the basic elements being taught in the training. This question is really at the core of what every cybersecurity team is trying to do with employee training. The answer is complex but contains three main areas. One, when employees better understand the “why” something is important they are more likely to care about it. Two, most employees who disregard security policies do so because of a lack of time and they don’t think anyone will notice. If the culture of the company is focused on high security standards, they will start to feel internal pressure that this is something that they are being measured on. Employees respond to that which is measured. And three, repetition is key. Telling someone once and expecting them to remember it is important 9 months later is a failure of the system not the individual employee. Repetition is key to behavior change.
The world has been affected by the COVID-19 pandemic in many ways—cybersecurity is one specific area. Cyberattacks are at a record high and the constant question from security teams is how they can train employees better. Having more gamification and repetition to the training is shown to be more effective in changing cyber behavior.
- 2019 Internet Crime Report Released — FBI
- More than 50% of the US population is now under the age of 40 – CNN
- What Is The Average Time To Detect Data Breaches And How To Reduce It? – LIFARS, Your Cyber Resiliency Partner
- IBM Data Breach Report: Compromised Credentials Prove Costly – SDxCentral
- Learning Retention: 8 Proven Methods & Strategies to Recall Knowledge (talentlms.com)
- 54 Gamification Statistics You Must Know: 2020/2021 Market Share Analysis & Data – Financesonline.com
Heather Stratford is the Founder of Drip7 and a thought-leader in the IT Training and Cybersecurity field. Heather keynotes at conferences, universities, and for enterprise clients. She writes on cybersecurity and has been featured and written for such global organizations as the 2018 G7 Summit held in Canada. Heather regularly speaks about Cybersecurity, Women in Technology, Women and Diversity in Cybersecurity, creating a Cybersecurity Culture, Entrepreneurship, Privacy, and the shifting regulations and how to manage cybersecurity risks.
Drip7 is the brainchild of cybersecurity expert Heather Stratford as a result of a client wanting to fix a specific problem: empowering the weakest link—the human—to use better cybersecurity. With its first few clients (a large educational institution, hospital system, and government agency), Drip7 is proving its usefulness in changing the old system of training and information retention in any workforce. Stratford explains it as, “Drip7 is a micro-learning platform that is re-inventing the way organizations train their employees and build lasting cultural change within them, especially in today’s age of remote workforces.” https://drip7.com/