Human psychology is becoming a more and more central focus across industries. There are podcasts and reports dedicated to “brain hacking,” books on training the mind, diets and supplements promising improved brain function, and apps for everything from meditation to getting more REM sleep to habit-stacking – the list goes on and on. We are constantly striving for improvement, looking to increase productivity and better our lives through psychology. When it comes to cybersecurity, we can do the same.
Most companies take a punitive approach to cybersecurity training, hoping to fight human nature with scare tactics, punishments, and threats. Many utilize the same-old, same-old existing security training programs available, relying on Partners and End-Users who aren’t specialists to deliver security training effectively. Unfortunately, most of their top choices for security training are proven ineffective– over 3 years, employers spend $9 billion on cybersecurity training, yet still have $6 trillion stolen. It’s time to take a more psychological approach.
More Than Just a Firewall
Though security can be achieved through many avenues, human nature will always be a risk. You can add hardware and software or even hire an MSSP to stop infrastructural attacks, closing up the technological gaps in your security posture and working to prevent bad actors from making their way in, but psychological attacks are just as dangerous– and hackers know how to exploit human behavior.
It’s time to fight the psychological tactics of bad actors, utilizing what we know about human behavior to reduce liability and risk. We’ve got three tips to share that will help you enhance your cybersecurity with some mastery of the mind.
3 Ways to Keep Employees Safe with Psychological Training
#1. Focus on the positive
Studies show that positive reinforcement, the addition of positive stimulus for good behavior, is more effective than punishment or negative reinforcement. In fact, University of Central Florida calls positive reinforcement “The most effective way to teach a person or animal a new behavior.”
In the workplace, we see positive reinforcement play out in a variety of ways for different departments and circumstances: employee reward programs, gamification, performance-related rewards like trips or retreats, and even something as simple as a sincere “great job!” Negative reinforcement includes nagging and scolding, threatening consequences like write-ups, or purposefully scaring employees into following the rules (like telling them that if they don’t change their passwords, their bank account could get hacked and they’ll lose all of their money).
As it relates to cybersecurity, consider rewarding or simply recognizing employees who follow cybersecurity rules. For example, offering free donuts to those who change their password each quarter, newsletters about cybersecurity hygiene that focus on positive results (a stronger company, less individual and collective risk) that result from these behaviors, a friendly competition to check off the most cybersecurity hygiene practices, or other small but worthwhile incentives.
And, don’t go with scare tactics– panic doesn’t particularly strengthen an organization, even when it pertains to important cybersecurity hygiene practices.
#2. Educate on common tactics
They say “what you don’t know won’t hurt you,” but when it comes to cybersecurity, the opposite is true. While negative reinforcement and scare tactics aren’t effective management tools, education certainly is. Some staff members may think that they’re too smart to get scammed or hacked, but that would be an underestimation of the sophisticated tools, methods, and knowledge that bad actors possess– and nobody wants to admit that they could fall for a scam.
Hackers often exploit both the ego and the good nature of people to gain access to systems via social engineering. They know how the mind works, and use both fear and common sense to breach the perimeter. For example, if you saw a thumb drive in the parking lot labeled with a company logo, you may think to plug it in, determine the owner, and return it.
Though it seems like common sense, this good samaritan effort can infect company devices with malware and viruses in an instant, and someone without a strong understanding of cybersecurity threats may not even consider that this is a tactic used by hackers. Some bad actors will ensure that the hardware is particularly tempting, with labeling that promises information on salaries, raises personal information, and more… these bad actors know that curiosity is a powerful motivator, even when we know better than to do something risky.
Battle back by teaching employees to think like a cybersecurity professional, instilling habits like:
- Never plug in found hardware, even if it’s official looking.
- Don’t trust notifications or emails that cause panic, like “you’ve been hacked” or “fraud alert” messages– report them rather than follow prompts.
- Always verify with a third party if a message seems suspicious, and report any fishy messages to IT.
- Never give out personal information or passwords via email, chat, or other apps, even if it is to a coworker.
- Do not write down or share passwords.
Educating your workforce is an important part of maintaining your security posture and avoiding the exploitation of human behavior that bad actors are known for. Keep your employees smart and savvy to all of the potential traps set by bad actors– and how to avoid them.
#3. Put your security to the test
So, how do you know if positive reinforcement and education are working, or if employees are falling asleep during cybersecurity briefing meetings? Much like with any learned skill, you have to test your efforts from time to time.
You may already be running pen tests to gain more knowledge about potential security vulnerabilities in your hardware and software, but you’re probably not testing one of the most vulnerable links in the security chain: your people.
Periodic phishing tests are an excellent diagnostic tool for your company’s vulnerability to social engineering. Here’s how it works: IT sends out a controlled, fake “phishing” email with all of the hallmarks– a slightly “off” sender address, perhaps typos or low-quality logos, and a scheme to acquire personal information – and monitors how many employees click, respond, or fail to report. You can present negative findings to your team to demonstrate just how easy it is to fall for a phishing scheme, and highlight positive findings as an example of how to respond in a real incident.
Another test to try is a simulated USB drop. Plant an official-looking thumb drive in high-traffic areas like bathrooms, break rooms, or parking lots, and determine how many are turned in or reported versus plugged in or taken home. This test helps you determine your employee’s resilience to hardware drops and their considerations for maintaining cyber hygiene.
A Partner in Psychological Training
It can be difficult to implement psychological strategies into your cybersecurity training, especially when you’re neither a psychologist nor a cybersecurity expert. Luckily, TMG partners with a leader in psychological cybersecurity training, and you can, too… we’d like to introduce you to Hook Security.
Hook Security is the proprietor of PsySec™, a cybersecurity training methodology that utilizes “humor, repetition, a positive approach, and the latest research in neuroscience to train the part of the brain that houses threat recognition and response.” Alongside this innovative training module with fresh and entertaining videos, Hook Security offers compliance-based training, relevant phishing testing, monthly deep dives, actionable reporting, and a “Campaign of the Month” for each phishing test. Businesses that use Hook Security’s one-of-a-kind program reap the benefits of expert psychology-based cybersecurity training, like easier compliance, actionable intel on employee habits, and the ability to nurture a culture of safety long-term.
Ready to fight back against the mind games of bad actors and secure your organization from the inside out? Tap TMG today to learn more about Hook Security!
