Is it Time to Rethink Cybersecurity Training?

Ask any security expert what the most effective way to improve cybersecurity is, and chances are they’ll say “staff training”. Not only is training relatively cheap, but a well drilled workforce that’s vigilant to the latest threats and techniques used by cyber-criminals (such as phishing and social engineering) can go a long way to protecting a business’s sensitive data.

Unfortunately, over the past 20 years cybersecurity training has increasingly been viewed as a tick box exercise, or something to be got out the way once a year for compliance reasons. In many companies, the typical training session amounts to little more than a short video or presentation, followed by a questionnaire and/or Q&A session with the instructor.

While this may ‘tick the training box’ at the board level, it generally fails to engage employees in any meaningful way, leaving them no more informed than before they went in.

Effective cybersecurity training has never been more important

When considered against the backdrop of an increasingly hostile cybersecurity landscape, where dangerous new threats are emerging all the time, the training approach described above is at best, lacklustre and at worst, dangerous.

With data becoming more and more important to businesses everywhere, effective protection is now paramount and the repercussions for those who fail to do so are growing. Reputational damage, loss of customer confidence and major regulatory fines can all prove fatal to a business’s long term prospects, particularly in the current financial climate.

Add to this the fact that many employees are still working remotely, where distractions and the home environment mean their guard is down even further than normal. Businesses need to know they can trust their employees to act appropriately, regardless of where they are working at any given time.

Taking training cues from other industries

Effective training should help employees understand and buy-in to the importance of cybersecurity, not just for the business, but for them as individuals too. Doing so requires an approach that goes beyond the standard videos and presentations, and engages them on a more personal level.

In order to understand this better, businesses can look at the way training is handled in other industries, such as the medical sector. For instance, the NHS uses situational-based training scenarios to help trainees understand the real-world consequences of decisions they make, so that they can understand the entire journey and the importance of their contribution (or not).

A typical scenario sees trainees immersed in the journey of all parts of the problem, what the contributing factors are to a given scenario and how their actions can affect a positive or negative outcome end-to-end. The key difference is that the trainee is taken on a journey, not just from their own perspective of the problem, but each of the moving parts and the resultant effect an action (or non-action) might have. In this way trainee’s really learn to understand the circle of ownership and start to appreciate others involvement so that better questions are asked and better outcomes gained, as opposed to tick box only, flowchart exercises.

We need to translate this to the corporate world, helping users to understand (at a high level at least) the world of their SOC operations, user security responsibilities and customer needs in terms of data protection and security. This will ensure their purview of the entire security ecosystem is widened, and more appreciation and ownership is gained in terms of their part in the chain of protection.

Of course, cybersecurity is rarely a case of life and death, but trainees can really benefit from understanding the implications of their individual actions here too. For example, if they carelessly click on a link and the business is hit with a cyber-attack, the subsequent fines or reputational damage could lead to a drop in sales, forcing the company to introduce cost cutting measures such as salary cuts or even job losses.

While this scenario may be on the extreme end of things, people are far more likely to think twice about clicking on that link if they realize their job, other people’s sensitive data, or even the entire company’s future, could ultimately be at stake.

Another way to spice up security training is to extend it outside the classroom, with the introduction of simple red team exercises that test employee vigilance and awareness in a normal working environment. Employees can either be made aware that an attack is imminent, or for the ultimate test, kept in the dark!

Much like situation-based training, the point isn’t to name and shame anyone who clicks on a compromised link, but to get employees thinking about security and the importance of their own actions on a regular basis, rather than just for that one training session each year.

Don’t wait until you’ve become a victim

Sadly, companies that continue to treat cybersecurity training as a tick box exercise all tend to have one thing in common – they’ve never been the victim of a major cyber-attack. As such, many are reluctant to change their ways or invest more in it.

Better training does inevitably cost more money, but the additional expense pales in comparison to the financial implications of a major data breach, so maybe it’s time to revisit how you can re-invest in your training and education programs to support more effective business outcomes for security, compliance and risk management.

What’s Hot on Infosecurity Magazine?