Security education is also an opportunity to strengthen communications within an organization so that employees become less susceptible to social engineering attacks. For example, if the HR and IT departments start to issue advance warnings about changes to email or other systems that are coming down the pike and what to expect in terms of updating login credentials, staff members will grow more suspicious of unexpected emails posing as such updates and trying to trick them into sharing personal information. Establishing clear procedures for things like suspicious emails such as reporting it immediately to the IT department, also helps recondition employee behavior.
Given that the ultimate aim is to retrain employees’ reflexes regarding online behavior, it’s imperative that managers respond to training results in a constructive, nurturing way instead of a punishing one.
“If somebody fails one or even a few times, that shouldn’t mean that we come down on them and we shake our finger in their face and tell them how bad they are,” says Carpenter. “They’re failing because they’re human, and we’re putting them in a situation that tests their humanity in a lot of ways. And we’re putting them in that [situation] because we know that this is the natural default behavior that people have and we’re trying to shift it.”
Mitnick agrees it’s better to take a carrot approach to encourage people to take security as self-interest in what they’re doing. “People don’t really care about security unless it’s in their self-interest. They could be worried about their job or about protecting their own data. They could just want to do the right thing for the company because obviously they don’t want the company victimized.” The key is to turn an employee’s mistakes into teachable moments that further strengthen an organization last layer of defense.