‘Humans are the weakest link’ has been the refrain of the IT security community for many years and, with social engineering attacks becoming ever more prominent and sophisticated, an organisation’s people will continue to be one of its biggest security risks.
Despite this, educating this core line of defence has tended to take a compliance-based focus, a ‘tick-box’ exercise using generic, off-the-shelf courses outlining the perils of social engineering, with little included to raise awareness around why training needs to be undertaken. Perhaps unsurprisingly, one of the biggest challenges is getting the average system user to complete this cyber security coaching, which is often seen as an inconvenience and not the key enabler in defending the perimeter that it is.
A risk-based approach
However, 2022 saw training and awareness start to evolve to take a more balanced ‘human risk’ approach. This acknowledges that there is a significant risk of people clicking on phishing emails and Business Email Compromise (BEC) scams, and that more should be done to manage it in the same way as other organisational risk, with targeted remediation and mitigating controls applied.
One focal point is the area of behavioural change. While it is possible to show if someone has completed a cyber security training module, few security tools can indicate whether the individual has paid attention and is actively making smarter decisions to reduce the risk they encounter every day. Altering behaviour generally requires a different approach – one that incorporates targeted training, repeated at frequent intervals to ensure the key points are retained and acted upon. (This must be undertaken without overloading the user with constant reminders, or lengthy exercises – both of which are likely to be ignored.)
Typically, business areas such as HR, finance, and IT support get most of the attention levelled at cyber security training as they have access to confidential information or privileged access to applications and processes. But a more advanced approach is to review all parts of the business; analysing incident reports will show where risks are materialising, and training completion rates, along with scores from short tests undertaken after the course, will indicate where people struggle. The threat landscape, and its change over time, also needs to be a consideration as it will indicate where to focus in terms of improving staff knowledge and awareness.
Going further, training should be graduated based on the risks that are present within a particular job role and the impact to the business, should the person in that role be compromised. The education (and testing of that education) of an employee who has privileged access to servers, databases or applications for example must have more rigour applied to it than that of someone with no access to IT assets; to do this effectively requires some alignment of training delivery with identity provisioning, based on the risk profile of assets.
When it comes to the content itself, the simulation of security incidents is now a mainstay of training and awareness programmes, and a key component in helping organisations to understand their risk. These typically take the form of phishing simulations, which are invaluable for measuring how individuals react when they receive something suspicious.
Gamification, which is becoming increasingly popular in many other areas of learning, is a way to make cyber security training more fun and engaging; enabling employees to play out a disaster scenario can demonstrate the importance of security measures by helping them to visualise what an attack or breach may look like from start to finish.
Other successful and creative training methods organisations have deployed include getting employees to watch relevant TV shows (such as Mr Robot) and turning security training into a mini-TV series of their own. Facilitated ‘wargame’ sessions for senior managers, in which one side acts as attackers and the other as defence, is also a good way to help people understand some of the techniques and challenges. The key is getting to know the audience and what will work to engage them.
It’s also important to acknowledge an organisation’s culture and where people are based geographically. Some parts of the business could react differently to the types of training on offer. Gamification, or introducing leader boards, might be a huge hit in one part of the enterprise for example, but ridiculed by another.
Make it personal
A key element of security training and awareness activity is communicating the responsibility that employees have to keep the company safe, as well as ensuring that they perceive there to be a real threat. Content needs to provide real life examples that are applicable to the audience and the level of risk associated with their role and the industry. Emphasising the impact an attack could have on the employee, as well as the organisation, provides an ‘emotional’ hook, and encourages people to look at what they can do to avoid falling victim in the first place.
Educating employees on cyber risk in the personal context so that they change their behaviour when handling their own information, is likely to also have a positive impact on their actions in the workplace.
An ongoing process
Most people won’t overtly deal with cyber security in their daily tasks, meaning skills and facts may not stick in their minds; training therefore needs to be an ongoing process. This is where integrated tools such as KnowBe4 are useful; the platform allows organisations to periodically send simulated phishing attacks across the enterprise, testing employees’ awareness of phishing and reactions to it. Emails can be edited to mimic any threat employees may face, they also encourage staff to go through the process of reporting the attack within their email interface, thereby providing a physical refresher of what to look out for and how to deal with it.
Carrot not stick
The key to successful security awareness training is to engage all staff in the overall journey, with a key contributor to this approach being incentives for reducing cyber attack based risk, such as bonuses or gifts for the teams with the lowest click-rate on phishing emails, or publicly praising employees who correctly identify genuine phishing attempts or suspicious behaviour. Creating ‘security champions’ within the business provides an aspirational goal, and competition between divisions or locations for the best performance in training can be beneficial.
It’s critical however to avoid a punitive approach; if someone fails a simulation test (or any other type of training module), the message needs to be supportive and educational. Making people feel foolish leads to resentment, an unwillingness to undertake further training and potentially a reluctance to report future incidents for fear of being embarrassed again.
A secure culture
As organisations large and small continue to be hit by cyber attacks, there is no doubt about the need for protection. Technology has many of the answers, but it must be reinforced with knowledgeable and engaged employees, who each understand their role in keeping out bad actors. This requires a commitment to cyber security education, as well as a desire to see training evolve to better meet the needs of today’s enterprise, while helping to make security awareness part of the organisation’s culture.