If the past few months taught us anything, it’s that cybersecurity training is critical for all employees. This is especially true for hackers’ top targets, the C-suite and board members, who are 12 times more likely to fall victim to a cyberattack.
It’s easy to see why these high-ranking executives are such prime targets. As leaders of the company, they are most likely to have the high-level privileges required to access the types of valuable corporate systems that cybercriminals seek. Described as a whaling attack, cybercriminals intentionally target high-profile employees because they have access to sensitive information and can authorize high-value wire transfers that promise big payouts.
Unfortunately, if you ask most executives, chances are they’ll tell you they feel mostly immune to these threats. With 40 percent of companies citing that C-level employees represent their highest cybersecurity risk, there’s a clear disconnect between the actual and perceived threat targeting those at the top of an organization.
With hackers stealing billions of dollars from companies every year, complacency is not an option. When speaking with executives, some of the most common pain points they share with current training practices is that security training is too long and irrelevant. As hyper-busy people who are used to filtering out information, it’s difficult to capture executives’ attention when they perceive that the information they’re receiving does not pertain to them. The fact is it’s time for learning leaders to rethink the way they approach cybersecurity awareness training for these highly sought-after targets.
When thinking about how to deliver effective cybersecurity training to business leaders, it’s important to keep the following best practices in mind.
Train with empathy
Effective training requires empathy. This is particularly true for the C-suite, a group of ultra-busy executives who answer dozens of emails a day and have hundreds of employees reporting to them. While many companies deliver security training via two to four sessions annually as a company-wide initiative, traditional training seminars aren’t likely to work for executives.
Instead, learning professionals need to implement flexible training programs that fit into executives’ busy schedules. Microlearning can be a good way to accomplish this. Many studies have found that learners learn best and are more likely to recall lessons when they can process information in manageable chunks. Designing training that is delivered in small, highly focused units (for example, a quick one-pager or two-minute video) is more attractive for executives dealing with the time-sensitive pressures of running a business and will encourage them to engage with the training far more effectively than a half-day seminar.
Customization creates engagement
Filtering is a trait that all executives engage in. The concept is simple: Anything (email, documents, etc.) that is not deemed relevant to executives’ priorities won’t receive their attention. The lack of engagement is yet another reason traditional training seminars don’t work, and why many executives tune out valuable information that could help their company avoid a multimillion-dollar data breach.
Learning professionals must customize their security training program to ensure buy-in and engagement with the important educational content. This will improve retention and the likelihood that executives will apply the knowledge they learn. The most effective security training programs operate like a cybersecurity GPS. The directives provided should be personalized based on historical behaviors or actions the executive uniquely partakes in, with the ultimate goal being to keep them on the right path and prevent them from engaging in risky behaviors that could put sensitive information in danger. Furthermore, the content and delivery of training needs to evolve as their aptitude on a specific threat progresses.
Think of it like this: You might need directions to your office on the first day of work, but, over time, you master the route and no longer need that step-by-step guidance. Instead, you turn on the GPS when heavy traffic or construction blocks the usual road you take. In a similar vein, learning leaders need to deliver training that is customized to the individual needs of a particular executive and that evolves as their propensity for engaging in particular behaviors changes.
Time is money
It’s not possible to ask the C-suite to participate in an 8-hour seminar to learn about cyberattacks that may or may not be applicable to them. Furthermore, studies have shown that knowledge retention rates drop by more than 50 percent when training is more than two minutes long. As learning leaders, we have a lot of control over not only what is included in training content, but also when it is delivered. Microlearning is a hugely successful training technique for this group as they can look through training content during quiet times, such as Friday afternoons or even on Sundays with coffee.
Furthermore, psychological studies have proven that humans learn and respond best to in-the-moment reminders about behaving securely. Breaking training into digestible bites and then sharing information about how to deal with a specific threat as it naturally occurs in the exact moment of risk — for example, when an executive receives an urgent request to pay a vendor invoice — is a much better way to help this group understand the relevance of the information they’re absorbing and the potential consequences of their actions should they not comply.
As the old saying goes, with great power comes great responsibility. In today’s world, that power also comes with a bigger target painted on your back. Cybercriminals target executives and board members because of their valuable access to corporate systems and sensitive data — and they continue to target them for the simple reason that they are vulnerable. While executives may be a higher-value target, there’s no reason why they should be more vulnerable than any other member of their team.
Rather than letting complacency take its toll on an organization’s bottom line, learning leaders must make it a priority to help business executives understand the value of security training. To maximize efficacy, cybersecurity training must be relevant, in time and personalized.
