At a time in history where we are ever-connected to our phones, social media often making up a large portion of our social lives, it can feel as if we understand technology more than ever. But this familiarity can leave us vulnerable, as criminals use the evolving technological landscape to develop increasingly intelligent and sneaky methods of accessing our finances or personal and business information. 

In an era marked by repeated cyber threats and quickly adapting attack methods, the  importance of robust cybersecurity training cannot be overstated. However, traditional training methods often struggle to keep up with the dynamic nature of cyber crime, and learners can be daunted by the complexity of cybersecurity – especially if they do not personally consider their role a vulnerability to the company’s security or even a part of it. 

But employees are in fact one of the biggest threats to a company’s cybersecurity, which many overlook – not intentionally but simply from misunderstanding the covert and elusive nature of cyber crime. 39% of UK businesses reported suffering a cyber attack in 2022, costing each UK business an average of £4,200. With many of these threats coming via email cyber attacks – approximately one billion emails per year affecting 20% of workers – businesses must take active measures to prepare their workforce to be the ‘first line of defence’ against cyber threats – or risk an ‘ad hoc’ or novice approach to cyber security, putting the business at risk of criminal activities.  

At imc, we work hand-in-hand with major corporations every day, finding solutions to the latest business challenges. One of the biggest challenges we’ve seen in 2023 is growing awareness of how cyber threats can impact businesses, but confusion around the type of training required can be a major obstacle to implementation. In fact, our recent research found that 56% of managers don’t train their teams to meet mandatory, legal or regulatory requirements, and 48% of employees prioritise training that helps them advance in their career, meaning cybersecurity training can fall by the wayside – despite the well-documented and costly risks. 

The biggest cyber security threats in 2024
While we are all familiar now with spam emails, here are some of the newest threats that your business should be aware of in 2024:

• Deepfakes: Many of us will have seen AI or deepfake musicians singing our favourite songs, or even celebrity statements, going viral on social media. Some have even made the headlines, spreading potential misinformation and propaganda. But deepfakes are also being used by criminals as strong leverage against individuals or companies through fake video and fake audio, with the goal of extortion, blackmail, stock manipulation or to negatively influence public opinion. For standard employees, these could be used to facilitate the release of sensitive data or transferring money out of the business, for example, asking them to send credit card information under the guise of a voicemail from their boss.

• RaaS, or Ransomware-as-a-Service: This is a collaboration between ransomware criminals and affiliates, whereby the affiliate pay to use for ransomware in order to extort money from businesses – and it’s a big earner, with revenues hitting $20 billion in 2020. An RaaS is set up to look like a standard SaaS (Software as a Service, such as Dropbox) and will sometimes even offer consumer-friendly features, such as 24/7 support and user reviews, making them appear highly convincing. When users share personal data or sensitive documents, those are then compromised by the criminals who may encrypt those files. Once encrypted, the business is blackmailed for the safe return of the information or data – upon paying, they will receive decryption keys and have access to their files. 

• Supply chain cyber attacks: The complexity and globalisation of supply chains means there is a significant risk of cyber attacks as criminals look for increasingly inventive ways to take advantage of their vulnerabilities. The effect of a supply chain cyber attack can be far-reaching and incredibly expensive, with impact on profits and even customers. Despite this risk, research by the DCMS in 2022 found that only 7% of businesses are reviewing risks associated with the supply chain – meaning many are unaware of the cyber threats they are facing. A lack of training, systems and due-diligence is a major opportunity for cyber criminals. 

But how do you educate your employees on cyber security in a meaningful way, so they can adapt their processes and understand an ever-evolving threat? Moreso, how do you overcome the challenge of engaging them for ‘drier’ or more complex topics like cybersecurity? We’ve discovered that there’s one approach that can transform learner engagement: gamification. 

So what is gamification?
Gamification is the integration of game-like elements into other processes to increase engagement, encourage particular behaviours (such as repeated engagement with a programme), and support specific thought processes or learnings. Gamification can include creating an interactive experience with exciting visuals, letting the user earn ‘points’, or introducing a leaderboard. 

Research by Sailer, Hense, Mandl and Mayr found that while a game itself isn’t a cure-all, game design elements can have a variety of effects on the motivation, engagement and social behaviours of participants. Simply, this means that how you harness the power of gaming has real impact on the outcomes of that process – something that could have a transformative impact on a business’ learning and development ‘return on investment’. 

This research found that gaming can foster personal motivation and performance within an activity. For example, using a points system allows participants to receive consistent feedback – small peaks in dopamine and social connection – that positively reinforce engagement and development.  Leaderboards serve as a competitive progress marker to increase engagement through social attitudes to hierarchy, but can be demotivating if a participant performs less well. In this instance, it can be more effective to use ‘personal best’ leaderboards. Roleplaying is also a tool that can be used, using storytelling to create a narrative context for the information you want the participants to learn, building that information up ‘brick by brick’ to introduce an emotional or social element to an otherwise dry or complex topic. 

Returning to the fact that half of people are motivated by career advancement – with this, there is a clear ‘return on effort’ for the participants, which may be lacking in cyber security training for employees who do not work directly in IT or cyber security. 

There is no complete off the shelf solution for cyber security, but one tool that we have created ourselves is Cyber Crime Time, a simple (and often updated) playable adventure that takes everyone in an organisation through the basics, completing levels that will give them a basic understanding of Cybercrime Awareness, IT Security Breaches and new cyber threats for example. As I have mentioned, the weakest line of defence is often the people not the technology, but all is not lost, given the opportunity, people can learn, empowering themselves and the enterprise for which they spend their working days. Why not make it fun? And when the dust settles, if everyone in the organisation learns a bit, the collective protection and first line of defence is unquestionably stronger, and likely happier and proud of themselves too.