Concerning trends around user security training, and ways to arrest this lethargy were discussed by Steven Purnell, Professor of Cyber Security, University of Nottingham, during day one of the Cloud & Cyber Security Expo, at the Excel, London, UK.
Purnell highlighted findings from the latest DCMS Cyber Security Breaches Survey 2021, an annual report detailing business and charity action on cybersecurity and the costs and impacts of cyber breaches and attacks in the UK. This showed that by far the most prevalent type of breaches or attacks was phishing (affecting 83% of businesses and 79% of charities). This was followed by impersonation attempts via a range of mediums, including email (27% and 23%, respectively). Purnell noted that these attacks are “user-facing types of incidents.”
Despite this, the DCMS survey found that just 10% of businesses and 12% of charities offer staff training in cybersecurity, “by far the lowest of the NCSC’s 10 steps guidance.”
Purnell observed that organizations’ lack of focus on user awareness training is “a long-standing issue.” He cited a survey from 2002 in which one respondent characterized the user community as “ordinary, unalert, uninterested, lax, ignorant, uncaring end users.” He posited that this attitude may have permeated many organizations, leading them to conclude it is not worth training their staff in this area.
Purnell then highlighted drawbacks with common approaches to awareness training, which often involve watching a video and a simple task running for 30-minutes once a year. This same module will be subsequently repeated annually. While this approach may help raise awareness of security issues, “is it providing any training in terms of actually dealing with things? It’s probably not taking people very far,” said Purnell.
He characterized this approach to training as ‘Goldfish,’ where organizations “assume people forget everything, and we need to repeat the same thing over and over again in the hope it finally takes hold.” Instead, training should be more like a Babel fish (from The Hitchhikers Guide to the Galaxy), where “we actually translate things in a manner our staff will understand.”
Therefore, training needs to answer the questions why? Who? What? How? and when/where? To help organizations develop programs that can effectively cover these areas, the NCSC has updated their 10 steps guidance regarding training, changing it from ‘user education/awareness’ to ‘user engagement and training.’ This advises three main action points:
- Encourage senior leaders to lead by example – ensuring messages about cybersecurity come from the top of the organization.
- Build effective dialogue with our staff – this includes presenting cybersecurity to them effectively, not stigmatizing mistakes and creating processes for reporting issues.
- Consider running security awareness campaigns – these should focus on positive messages, such as highlighting the benefits of security training to staff, delivering training in small, frequent doses and avoiding repetition.
The overall purpose of this approach is to move from security awareness to influencing behavior and, ultimately, creating a strong cybersecurity culture. In Purnell’s view, a crucial aspect of such a strategy must be to tailor training to individual staff members, thinking about “what they need for their role, how they would like to receive the message and what barriers are there regarding their position, knowledge, attitude.”
Purnell emphasized this is not an outcome that can be achieved overnight and requires long-term commitment to achieving a “security-aware and literate staff base.”