How effective cybersecurity training goes deeper than raising awareness
Emile Abou Saleh, regional director MEA at Proofpoint highlights the importance of organisations to apply a security training programme to successfully eradicate behaviours that put the organisations at risk
Emile Abou Saleh highlights the importance of organisations to apply a security training programme to successfully eradicate behaviours that put the organisations at risk. The best way to achieve this is through a mix of the broad and the granular. This way, it is crucial to start by cultivating a security-first culture through a continuous, company-wide training programme that acknowledges everyone’s role in keeping your organisation safe.
When working in the cybersecurity industry, it’s easy to exist inside an “infosecurity bubble”, where buzzwords and acronyms are commonplace in day-to-day conversations. The idea that any computer literate person could be unfamiliar with a term as common as phishing seems unthinkable.
As detailed in Proofpoint’s State of the Phish Report 2020, a significant number of workers worldwide have little to no understanding of what cybersecurity professionals may consider basic terminology. In fact, only 61% understood the term phishing, with just 31% familiar with ransomware. There’s yet more grim reading when it comes to modern threats. Just 30% of the global workforce understand the term smishing, and only 25% were familiar with vishing.
These numbers are even less among the younger generation. Far from ushering in a new breed of security-savvy employees, those under 40 are less informed about basic security threats. Just 47% of those aged 18 to 22, and 55% aged 23 to 38 recognised the term phishing, compared with 65% and 66% of those aged 29 to 54, and 55+ respectively. This can only suggest a sheer lack of awareness in basic cybersecurity knowledge.
Cybersecurity training – much more than a box-ticking exercise
A complete lack of training is not the issue here, as almost all surveyed organisations (95%) train employees to spot and avoid phishing attacks. However, scratch the surface, and this training has the potential to be ineffective – in all frequency, method, and scope.
Starting with the latter, almost a third of organisations only train a portion of their users. Targeted training is essential, but it leaves gaping holes in cyber defence if not accompanied by company-wide education.
The frequency of training is also found wanting. While most organisations conduct training on a monthly basis, this amounts to between one and three hours over the course of a year. Just 10% of organisations spend more than three hours per year on this vital task.
The World Economic Forum estimates that between 2019 and 2023, $5.2tr in global value will be at risk from cyberattacks. The majority of the individuals facing these attacks receive just three hours of training in a year.
Just 60% of companies provide any sort of formal education to users, be it in-person or computer-based training. For many, cybersecurity training amounts to a combination of newsletters, email bulletins, educational videos, and end-user report buttons.
Any approach that raises security awareness should be encouraged. But to put these methods under the umbrella of training is a little misleading. Being aware that a threat exists, through an awareness campaign, is a world away from learning the skills needed to minimise the risk of that threat seeing success.
Cybersecurity training must place greater emphasis on the why and the how. Why am I a target for cyberattacks? How do my actions impact the security of my organisation? Yes, employees must learn to recognise common threats, but they must also be made acutely aware of their role in defending against those threats – and the consequences of failing to do so.
Should end-users face the consequences?
We often talk of the consequences of poor cybersecurity from a business point of view. Rarely do we discuss the consequences of bad practice on individual employees.
That said, the consequence training model is gaining traction. Almost two-thirds of organisations punish users who regularly fall for phishing attacks. Consequences can range from additional in-person training through to official warnings and monetary penalties.
Organisations are understandably wary of punishing workers for mistakes – fearing that it may foster negativity around cybersecurity training. However, proponents of the consequence model believe that without some form of deterrent, users may not take their responsibilities seriously.
While the approach may be up for debate, its effectiveness is not. Almost 90% of organisations report an improvement in employee awareness following the implementation of a consequence model.
The key takeaway is that time and effort matter. The more hands-on training that workers receive, the better they are at spotting phishing attempts.
Creating a security-conscious culture
The goal of any security training programme is to eradicate behaviours that put your organisation at risk. The best way to achieve this is through a mix of the broad and the granular.
Start by cultivating a security-first culture. This means a continuous, company-wide training programme that acknowledges everyone’s role in keeping your organisation safe.
With this as a foundation, you can then provide tailored training to those who are most actively targeted by cyber threats – your Very Attacked People (VAP). By establishing your VAPs, you can tailor training to specific threats and job roles, address threats with greater certainty, and continually monitor the skill level of those on the front line.
Additionally, in countries with diverse cultural background of the workforce such as the United Arab Emirates, it’s crucial to go beyond mere translation, by offering localised content in different languages.
Training should take the form of in-person workshops, computer-based assessments, realistic simulated attacks and general awareness education. Most importantly, this training must be comprehensive, ongoing, and responsive to changes in the threat landscape.
There are no quick fixes in cybersecurity. Building a security-conscious culture takes continued effort and attention.
Cybercriminals are focused – forever honing their skills and techniques. If you’re not doing the same, there can only be one winner.