• November 1, 2016

Game On: Engaging Employees in Enterprise Security

Motivate the weakest link with fun. 

All work and no play makes training a dull task. So why not encourage cybersecurity best practices through games?

It’s nothing new—survey after survey of IT security professionals finds that an organization’s employees are the weakest links in the enterprise security framework. A recent example: 55 percent of the 601 data protection and privacy training professionals surveyed for the “Managing Insider Risk through Training & Culture” report by Experian say their organization had a data security breach due to negligent or malicious actions by employees.

Cybercriminals are constantly creating devious phishing schemes and other clever ruses to trick unsuspecting employees into downloading malware. Adding to the problem is a lack of understanding within the organization about why data security procedures are necessary. Employees often perceive these measures as excessively time consuming and ignore them, especially when working on tight deadlines.

The Fun of the Game 

More enterprises are turning to games to instill solid organizational security habits. For example, Digital Guardian, a cybersecurity firm, offers DG Data Defender, a game to educate employees on the issues surrounding data loss prevention and sound security practices. While employee training frequently focuses on pointing out what employees do wrong, Digital Guardian’s approach also takes note of good behavior and offers rewards to reinforce it.

The game tracks each employee’s data security practices, and a scoreboard shows the leading performers to foster competitiveness. Users receive badges for the first, tenth, and hundredth email sent without violating a security policy and for other accomplishments, such as first use of data obtained from a secure shared drive and correctly stored back on the drive.

Users are encouraged to display these badges on their email signatures, print them up, and post them in their workspace. Employees who demonstrate good security habits over longer periods are eligible for prizes such as gift cards. The idea is to raise data security awareness in a fun, engaging way. “Security awareness campaigns must be tailored, ongoing, and involving,” according to HPE’s white paper: Awareness is only the first step: A framework for progressive engagement of staff in cyber security.

Everyone’s a Winner

Incorporating this education within day-to-day practices via gaming keeps the issue on the minds of employees each day, rather than reserving the topic for occasional training sessions. The common approach to enterprise data security training is “generic web-based training with security quizzes, a ‘box-ticking’ exercise that only indicates employees have read through pages and know the answers to questions,” the white paper notes. “It does not mean they will adopt secure behaviors as they go about their daily tasks.”

Incorporating gaming into daily work has a better chance of prompting employees to fully embrace positive data security habits—a critical step to achieving organization goals for a better enterprise security framework.

Like this story? Learn more about your employees’ influence on cybersecurity.