Cybersecurity training in many organisations is seen as chore, a tick box exercise that needs to be done when we get time, maybe next week. Or it is mandatory, regardless of the deadlines you face, but mostly irrelevant to your role or to risks the organisation faces. Yet, in today’s world of highly sophisticated data breaches, does all this training actually make a difference?
Firstly, cyber security training is a bit like studying history; every month that goes by adds another month to the pool of history to possibly learn. There is no end to the subject matter because it is constantly evolving. Secondly, when teaching any subject, if the students are not interested, then given the limited amount of time available, they are unlikely to learn anything or already know what you are teaching and resent having to go through the process. Lastly, the security technologies in place do most of the work, protecting users from 99.9% of threats, so the odds are low that a user’s choices will make any difference.
That all said, the number of threats we are facing is an insanely large number, and even if we are 99.999% protected the remaining 0.001% is still a stupidly large number. According to the AV-TEST Institute (www.av-test.org) there are over a 1050+ million malware samples, leaving you potentially unprotected against over a million threats. Many of these threats start with social engineering to get a foot in the door, which technology is not very good at stopping, but education is. Focusing your cyber security training to address the gaps targeted by social engineering will definitely make a difference, if combined with basic phishing awareness. These attacks can arrive not only by email, but also by SMS text and social media messaging, as well as in the form of a phone call. Sometimes it is a combination of methods, slowly building up trust over time.
Also, a better understanding your business processes and the correct steps and checks will also help users to identify any erroneous requests from cyber criminals. Understanding why certain security processes are in place can help people to pay more attention to them, if you show how it can stop the criminals in their tracks. Awareness training is also about teaching people not to effectively ‘leave the kitchen backdoor open’ in your business, and how certain behaviours can increase the security risks the business faces.
Technology is also not that effective against identifying emails and messages from compromised third parties that you trust, as the usual markers of a fake email or message are not present. As it is a genuine account, the criminals can look at historic messages and may send something completely in context, so training people to be on the lookout for subtle clues and warning signs based on their previous interactions with that person will greatly help.
Awareness training helps people understand that staying secure is an ongoing process against changing threats, and part of this is the importance of updates and patches in this process. Time and time again, data breaches have been carried out against systems where security patches had been available for months. Unfortunately, security updates can be time consuming and disruptive, so the pressure to delay them is often high.
That said, cybersecurity awareness training isn’t worth the bother when it is not focused on what matters to the business and the people within it. If the training has no relevance to the systems and processes or management aren’t following the guidance themselves, it can be counterproductive. Training that is relevant and focused on the business risks will help people develop an understanding of the implications of a security incident, together with the knowledge of what is suspicious and needs reporting.
For many businesses, measuring the long effectiveness of any awareness training and all the near misses that it may have stopped is very difficult though, but it is still a lot cheaper than the fallout from a major cyber infection.