Considering it is estimated that 95% of all cybersecurity breaches are caused by human error, it’s safe to say that the current state of cybersecurity and awareness training is not cutting it anymore.
Educating digital generations on data, privacy, cybersecurity and online best practices is paramount for a safe and paperless future. If we are still seeing 73% of all accounts being guarded by duplicate passwords and a successful cyber-attack occurring every 39 seconds around the world, then it is time to refresh and update the way security and awareness training is delivered.
Cybersecurity and awareness training is extremely boring, not engaging, and most importantly, not relatable to the audience. The training, mainly for businesses, tends to consist of corny cartoons with monotone voiceovers and poorly acted scenes that have no relatability. I’ve witnessed an employee start their mandatory cybersecurity training, get up from their desk, walk away from the unlocked computer (which is a security risk within itself), go make a cup of coffee, grab a bite to eat and come back when the training is finished. The funny thing is I don’t blame the employee at all. It’s what most people are doing: clicking play, switching off and then returning to the screen when the video has finished. This is because the video has nothing to do with the individual watching it.
Currently, cybersecurity training is all about the business. It explains what happens to a company if an employee clicks a link and how much the business could be fined if cybersecurity practices are not followed, but very rarely does it provide the employee with tips to secure themselves in daily life. I’m not saying business-specific training isn’t necessary because it definitely is; however, it’s important to provide some foundational skills to the users so they can use them in their everyday lives. These include how to secure your social media accounts to limit the amount of personal information you share with the public and highlighting real-life case studies that show the results of exposing too much of your personal information online.
To those reading this, I guarantee if you log in to your Facebook or Instagram account, you will be able to find your first name, last name, email, mobile number and date of birth. That right there is enough to steal your identity. But if you dig further, I believe you would be able to find your siblings' names, parents names, children's names, best friends, pets, interests, where you were last week, where you live, political opinions, where you went to school and where you currently work.
I bet that you even use some of these characteristics in your passwords as well. Showing people real-life examples that can directly impact them is how we need to move forward. As an example, we should be showing them how to minimize the potential risk of identity theft and securing their social media accounts. If they start securing their personal life, those skills will follow them into the workplace.
Exploring the context of malicious cyber actors should also be incorporated into the training so people understand who is trying to hack them and why. It’s important to show who the attackers are, like nation-states, cyber-criminals, hackers, and script kiddies in an engaging and interesting way. This should demonstrate what they are trying to achieve regarding personal gain and identity theft and how they can achieve these goals through different attack vectors. For example, employees can be shown a real-life phishing email and asked to identify where in the email there are suspicious characteristics. However, don’t just give them a single email; provide some context, and tell a story. For instance, a nation-state actor who is trying to manipulate an election campaign has sent a large number of phishing emails to citizens of a particular country with a fake website that pretends to track voting polls and requests you vote for who you want to win. It shows us a malicious actor with a goal and the means of achieving that goal. This is interesting, engaging and relatable.
Cybersecurity awareness training has been the same for years, yet we still see employees clicking on suspicious links. It needs a refresh. It needs to be engaging, interesting and relatable. It shouldn’t just be tailored for a business context; it must also include cyber-attack scenarios experienced in everyday life.