Employee Cybersecurity Training: Why It's Time to Change Your Approach

According to a new report from KPMG, American CEOs see generative AI as a double-edged sword when it comes to cybersecurity. Eighty-five percent of U.S. CEOs say AI can help detect cyberattacks -- while at the same time providing new attack strategies for adversaries. Their concerns address ongoing doubts that any organization can develop an enduring defense against cyberattacks.  

AI Is a Double-Edged Sword 

The CEOs are correct: AI is a double-edged sword. IT teams can use it to thwart hackers, but hackers can use AI effectively to menace and damage organizations. According to a new report by Microsoft published just in time for Cybersecurity Awareness Month, hackers are using sophisticated AI-powered techniques to make their attacks more lethal and undetectable. Microsoft further detailed that hackers use existing generative AI tools and emerging chatbots to deploy these attacks on unsuspecting users.   

“Cybercriminals and nation states are using AI to refine the language they use in phishing attacks or the imagery in influence operations,” Microsoft's CVP for Customer Security and Trust, Tom Burt stated.  

Companies Need a Better Approach 

The Microsoft report sounds grim, but smart organizations should take in the data and adapt as they have done for years. One way: recommit to ongoing employee training. For too many organizations, cybersecurity consists of an annual employee training course taken from your laptop along with an occasional phishing simulation designed to keep employees on their toes. 

Companies need: 

• A year-round commitment, not a one-time commitment. Hackers are constantly evolving their approaches. So should businesses. 
• A more creative approach to employee training. Boring videos won’t cut it. 

More Creative Ways to Train Employees 

Here are some creative ways to educate employees against AI-powered hacker attacks, even though AI-powered tools are harder to detect: 

• Use gamification. Gamification is the process of using game design elements and principles in non-game contexts. It can be a very effective way to engage and motivate employees, and it can also be used to teach them important cybersecurity concepts. For example, you could create a game where employees have to identify and avoid AI-powered phishing emails. 
• Use storytelling. Storytelling is another powerful way to engage and educate employees. You could create short stories or videos that show how AI-powered hacker attacks work and how to avoid them. For instance, you could make a video about an employee who clicks on a malicious link in a phishing email and ends up having their computer infected with malware. (At IDX, we use our creative content teams to do this kind of storytelling for clients.) 
• Use role-playing exercises. Role-playing exercises can help employees practice how to respond to AI-powered hacker attacks in a safe environment. One approach is to have employees role-play a scenario where they are contacted by a hacker who is trying to social engineer them into giving up their login credentials. 
• Use simulations. Simulations can help employees experience real-world AI-powered hacker attacks in a safe and controlled environment. A simulation could show – very powerfully – how phishing emails that use AI can be even more difficult for an employee to detect. 
• Use interactive training modules. Interactive training modules can be a fun and engaging way for employees to learn about AI-powered hacker attacks. These modules can include quizzes, puzzles, and other interactive activities. Consider using these in context of an online event where employees can engage with each other. 

It is also important to keep your cybersecurity training up to date. AI-powered hacker attacks are constantly evolving as the Microsoft report illustrates -- so it is important to make sure that your employees are aware of the latest threats and how to protect themselves. 

Additional Tips for Employee Training 

Here are some additional tips for educating employees against hacker attacks (AI-powered or otherwise): 

• Make training mandatory. All employees, regardless of their role in the company, should be required to complete cybersecurity training. 
• Make training relevant. Tailor your training to the specific needs of your employees. If your employees work with sensitive data, you may need to provide them with more specialized training on how to protect that data. 
• Make training ongoing. Cybersecurity training should not be a one-time event. It is important to provide employees with regular training so that they can stay up to date on the latest threats and best practices. I cannot stress this point enough. What does your training calendar look like? Is it populated with events and exercises, or is it a blank slate? 
• Make training accessible. Make sure that your cybersecurity training is accessible to all employees, regardless of their location or technical expertise. You can do this by offering online training modules, webinars, and other self-paced training options. 
• Make security a culture. Make sure that the employees understand how to use cybersecurity principles and concepts in their day-to-day tasks in everyday life. 

But this is just the start. You’ll need an integrated approach that encompasses both training and the application of AI to protect your digital estate. Our recently published white paper on Navigating the Landscape of Cybersecurity, Privacy, and Accessibility contains more insight into our thinking about cybersecurity. In addition, the IDX on-demand hosting platform is built from the ground up with security and data protection by design. Contact us to learn how we can help you.