Cybersecurity is still one of the biggest challenges companies face today and one of the top priorities for CEOs in 2019. Aside from a strong firewall, the most important way to prevent future attacks is to train employees. They’re often the ones responsible for letting a hacker access private data.
According to Cisco’s 2018 annual report, 65% of email is spam, 8% of which is malicious. Nearly half (47%) of malicious documents are .zip files, and 40% of unknown or unmanaged devices get missed on a network.
Information security company Shred-it found that 47% of business leaders blame human error and negligence for their security breaches. The Ponemon Institute estimated that data breaches cost companies $3.6 million, on average, around the globe in 2017. And according to a CNBC article, research shows that bad habits like leaving your computer unlocked or leaving sensitive paperwork in public spaces can leave data available for the taking.
So, from a training perspective, what can you do?
First, ensure you have clear corporate policies in place as to how your employees can utilize the internet, download files and manage email in the office and remotely. Then create a comprehensive training schedule that ensures all employees understand best practices in fending off would-be attackers. Content for cybersecurity changes quickly, so training often is key.
Instead of turning to traditional training methods, consider using more immersive solutions such as game-based training. In my work at The Game Agency, I’ve seen firsthand how engaging games can be when it comes to training, especially in an age in which attention is hard to keep. You can approach this in many ways. What’s important is that you tell a compelling story that your employees can relate to and that will challenge them to be more aware and assertive.
Game Training Examples
Recently, Intuit set out to teach 3,000 employees its latest set of security protocols. The company enlisted an agency to create a game called Cloud Defense to help employees master cybersecurity. In the game, players must protect their database from malicious attacks while allowing “good” traffic to pass through the web infrastructure. With each level, the difficulty of the game increases. The game allows each player to learn about Amazon Web Services (AWS) security protocols. And to make it more realistic, a “cut scene” news story (think CNN) is shown between each level about the threats a fictitious company is facing. The game tracks and displays scores in the form of a leaderboard and provides rewards and feedback along the way.
While Cloud Defense was created exclusively for Intuit employees, there are other games available for any company to leverage. One example is consulting firm PwC’s Game of Threats, a game designed to help executives assess their readiness to respond to a breach and practice taking precautions prior to and after an event. This fast-paced, head-to-head digital game simulates the experience of a company under a targeted cyberattack. Participants play the roles of both attackers and defenders, working against the clock to make high-impact decisions and ultimately beat their opponents. The game is intended to raise awareness of cybersecurity across all layers and divisions of a company.
If you prefer to dip your toes in the water, you might consider deploying a micro (logic, trivia or word) game that focuses on cybersecurity without introducing stories and characters. Regardless of what game you deploy, consider these three questions before rolling it out:
1. What does success looks like?
Recognizing performance is important, but before you can recognize it, you need to define it. What does success look like? Some examples are:
• Completion rates
• Repeat plays
• Application of acquired knowledge
Once you’ve defined success, consider ways in which you can choose the right approach to games, points, badges, levels, power-ups, leaderboards and rewards.
2. How can you turn your training from a ‘have to’ into a ‘want to’?
Mandatory training can be fun and exciting as long as you keep in mind the following strategies:
• Tell a story. We’ve found that people are more apt to connect with and recall content if it’s presented in the form of a story.
• Present a challenge. People like to prove themselves. Present them with character objections, physical barriers or situational crises, and challenge them to overcome one or more of these in your training playground.
• Don’t make it too difficult. Make the experience fun and challenging but not so hard that your learners give up before they learn new information or practice critical skills.
• Make it pretty. Visual design is important because, unfortunately, people do judge books by their covers.
• Keep it simple. The shorter your training, the better. Break it into bite-sized content that learners can engage with in one or multiple sessions at a time.
3. Should you buy or build?
Games are an effective form of training and can increase engagement, comprehension and retention. When considering training games, companies have three choices:
• Buy a pre-existing game. PwC’s Game of Threats is a great example of a game that has been built once and sold dozens of times.
• Build a custom game. This requires game designers, visual designers, software engineers and a producer to keep everything on track, budget and time. While some companies have the resources to do this in-house, most are well-served to hire an experienced game developer to do it for them.
• Build a templated game. Companies can add their own content to existing game templates to make their training stickier and more fun. This option allows for a little customization at a lower cost. Aside from our own platform, The Training Arcade, other popular tools include Axonify or C3 Software.
Think about your team and what will inspire them to stick with your material until they have mastered it. If you can do this, your employees will likely convert from passive to active learners and master the skills you consider critical. It’s impossible to eliminate cyberattacks, but training games can provide the skills and tools employees need to alter behavior and reduce company risk.