With an ever-increasing amount of cyber-attacks being undertaken and staff pressures increasing which often leading to human errors, we need to look differently at Security Awareness Training.
I am sure that there is one thing all security experts should be able to agree upon, and that is that the vast majority of security awareness training programs are utterly worthless.
Users are dragged from their desks once a year to sit in a room while a help desk employee tries to explain why “fluffy1” is not a secure password or how to identify a phishing email.
Or, even better, users are told to complete an online training package and perhaps answer a couple of multiple-choice questions at the end. Short term memory will normally suffice to ensure that they pass straight after they have completed a course. An hour later they have forgotten most of what they learned.
What’s even worse, some staff take screenshots of the course and then use these to answer the test at the end.
Clearly, this approach to security awareness is not effective. At best, you can expect an improvement in some staff awareness, or risk reduction, in the single-digit percentages.
Staff is busy, disinterested in security, and typically consider security to be an IT function and not something for them to worry about.
Secondly, what good is awareness? Security is an activity, not a concept, and simply understanding something is not the same as doing it. Just because someone knows, or is aware of what to do, it doesn’t necessarily mean that they will do it.
There is, ultimately, a huge difference between understanding that not all email is legitimate and being able to identify potential phishing scams.
Rather than working to improve awareness, what is really needed is a change in security behaviours.
Finally, the word “training” must be taken more literally. In every other walk of life, training comprises a consistent and ongoing cycle of education and practice, where a built-in feedback loop informs necessary adjustments. Exams are conducted later in the program to measure the retention and understanding of the topic.
If human vulnerability is to be patched effectively, this approach needs to be adopted by security training providers.
If the security world is going to start taking user training seriously, a radical shift in perspective is needed.
Training programs must focus on only those aspects of security that are relevant to the average user and where a change in security behaviours will directly enhance the enterprise’s security as well as the user’s personal life.
Changing Security Awareness Training
As stated previously, online training is ineffective. We need to look at different methods to train our users, so the message is better absorbed and implemented in their everyday lives.
Gamification is one of the new buzz words, asking users to complete a game. This has shown to have a reasonable impact as long as the game is engaging and fun.
Workshops to executives and staff providing the real-time visibility of how attacks occur have been showing some great results. Not only educating them of the real threats but also getting their buy-in to the program.
Short interactive videos, regularly changing screen savers and wallpapers, intranet messages and articles measuring the increased click rates, messaging, reinforcement activities, and awareness week sessions with games, activities, and hands-on experience for all users are great ways to get the message across, continuously.
Make sure all of these activities are short, so the users don’t resent them and believe that it is impacting their workday.
Creating a Culture of Security
If staff doesn’t want to participate, no matter what you do, they will avoid being engaged. Notwithstanding, accepting that they are responsible for their actions, is even harder to enforce.
Of course, creating a culture that promotes security requires energy, careful planning, and investment, not to mention a mechanism for tracking improvement.
Security culture metrics serves the purpose of measuring security culture, it is not measuring awareness training completion rates or phishing assessments.
Security culture metrics measure the sentiments towards security in an organisation, the psychological and social aspects that drive individual and social behaviour.
The word “communicate,” a soft skill desperately needed if security teams hope to reinvent their image. Companies need to do more to change the culture of their organisations if they hope to dispel the myth that security controls and programs serve little to no value and only hamper productivity.
For other departments to understand what security is trying to achieve, companies need to move in the direction of creating a cyber-aware culture. Culture isn’t created through policies and controls. Culture is built through communication, not a dense poster filled with information that no one reads, or an annual computer-based training that employees click through while they are on conference calls.
A security-aware culture can be built, but it can only be done through interpersonal engagement. If the business hopes to mitigate the risks from cyber threats, security and security teams need to be seen as critical to protecting all the business, which include its employees.
Building Muscle Memory and Habits
To truly master any skill, a lot of deliberate practice is needed.
Building and maintaining a culture of security is no different. Reducing phishing susceptibility from 30% to below 5% is achievable for any enterprise, but it is not an overnight fix.
Even once the desired rate is achieved, employee churn rates and the inevitable decline of unpractised skills mean that a continued effort is required to maintain it.
This approach, then, must be considered a continual investment in security excellence. Certainly, the reduction in spending on incident response and data breach costs will hugely outweigh the cost of investment, but it must not be considered a one-off patch for human vulnerability.
Instead, the cost of building a culture of security should be considered as necessary as the cost of employee key cards or any other direct cost of employment.
Any single user has the potential to enable a massive data breach, and with breach fines reaching new heights every year, enterprises of all sizes have little choice but to take this risk seriously.
Only by investing in employees, rather than attempting to take them out of the equation, can a security-conscious enterprise flourish in the coming years.