A Successful Security Strategy Is All About Relationships. Here’s How to Build Them.
Security efforts are not limited to security teams. High impact strategies need to engage everyone from employees to the board of execs, DevOps teams and IT. Learn how how to become not just an effective partner but a trusted advisor across an organization.
Your Legacy Phishing Solution Isn’t Enough to Protect Your Organization
CISO Josh Yavor explains why legacy phishing solutions aren't effective in preventing successful attacks, and what you can do about it.
9 Things I’ve Learned Writing Phishing Emails
Ethical hacker, Craig Hays, explains why copywriting, timing, and context are all essential "ingredients" in crafting a phishing attack.
Employee Burnout Will Probably Cause Your Next Data Breach
Understanding how stress impacts cybersecurity behaviors could significantly reduce the chances of people’s mistakes compromising company’s security.
Stateful Machine Learning is Our Best (And Only) Bet
Traditional machine learning methods that are used to detect threats at the machine layer aren’t equipped to account for the complexities of human relationships and behaviors across businesses over time. There is no concept of “state” — the additional variable that makes human-layer security problems so complex.
How Easy Is It to Phish?
You don't have to be tech savvy to become a "hacker". This blog outlines how to create a phishing campaign, and was designed to help security leaders protect their organizations.

Explore Human Layer Security.

Learn About Our Mission
Subscribe to our newsletter
Explore Me
Read More
Podcast Podcast

Why We Should Lead With The Carrot, Not The Stick

James McQuiggan

Illustration by Calum Heath

James McQuiggan, Security Awareness Advocate at KnowBe4 believes we need to embrace the new school approach to security education and start to make the most of the human factor.

Listen to the full podcast here, or read on for James McQuiggan’s top three takeaways.

The new school approach to security education is designed with the end-user in mind

I got into security awareness over 11 years ago. Back then, cybersecurity training consisted of a lunch and learn with a PowerPoint presentation, and perhaps some donuts to entice people. You may also have had computer-based training where you go through and click ‘next’ repeatedly until you reach a 5-question multiple-choice quiz. That was it. You might remember the information, you might not. Most of the time, if you weren’t interested, you wouldn’t.

The new school approach to security education is based on totally different concepts and includes a variety of different factors. It is not just computer-based training once a year. At its core, the new school version must be engaging and interesting, and needs to appeal to the end-user. The end-user should feel a connection to it so that they are compelled to take an interest in security, to make them think twice about clicking a phishing link, or reusing a password. So, helping employees connect with security will drive an overall security culture change. If users don’t relate to it, they’re not going to care. 

Security education should be creative and reflect the culture of the organization

Consider some of the training sessions you must do – accounting, finance, or expenses. It is very difficult to learn if you are only doing it because your boss told you to, and you don’t really care about the subject. 

A security awareness program should be more engaging. Whether it is posters, newsletters, animations, or a weekly video. Organizations should be doing different things every month or every week to help reinforce the information throughout the year. Ideally, you want employees to enjoy engaging with the security program, and to do this we need to lead with the carrot and not the stick.

For example, a friend of mine is a CISO at a law firm and he runs a monthly contest. Whoever spots the most phishing emails gets their name on the notice board and a $25 gift card for coffee. What has become clear is that the employees could not care less about the gift card! They want to see their name on that list – and they want to see it at the top – it’s a competition for them. 

So, you want to find what works within your culture to get people interested and take it seriously. Whether it is a board, recognition, a coffee mug, a shirt, understanding the culture of your organization and reflecting that in your security program goes a very long way.

Humans can be cybersecurity’s strongest asset – they’re just not getting the right training.

Well over 50% of data breaches are the result of some kind of human interaction – whether someone misconfigured a firewall or a user clicked on a phishing email. This means that humans must be the weakest link when it comes to cybersecurity – right? 

It’s not that simple. A recent report from an identity resource group analyzed a variety of different organizations and their budgets. The report revealed that about 3% of the average organization’s cybersecurity budget goes towards training – towards the human aspect. That’s just 3% on training your developers, training your security team, and security awareness training for employees. 

So only $30k of a 1 million dollar budget would go towards training, and when you’ve got so many data breaches being because of human action, that’s not a lot of money. People love to say that humans are the weakest link, but I think that humans can be the strongest link, and companies just aren’t training them.

For more from James on security education, the rise of ransomware, and the human factor, listen to our RE: Human Layer Security Podcast episode, here