What You Should Demand From Your Security Awareness Training?

by Tony Richardson CISSP

What You Should Demand From Your Security Awareness Training?

The recent Cyberedge 2022 Cyber Defence Report highlights low security awareness among employees as the second highest impediment to security. Threat actors continue to see employees as the weakest link in defences, susceptible to phishing campaigns, social engineering attacks, business email

compromise (BEC) attacks, and other techniques that play on human (rather than technical) weaknesses. Deep fakes and the availability of personal details on social media are likely to make it even easier to hoodwink employees. A few organizations have begun to take aggressive measures to improve security

awareness, such as ongoing security training and simulated phishing and social engineering attacks, but clearly not enough is being done to educate employees.

“The number of work-from-home employees

continues to rise… creating more targets for

cybercriminals and more incentives to perfect

their tactics, techniques, and procedures.”

We need to reduce avoidable incidents by supporting and educating people, by empowering and improving confidence, and by measuring and improving their security behaviours.

Place people at the centre.

To reduce security incidents your training needs to place people front and centre. Behavioural science is key. We expect personalised experiences in our lives outside work, why should security and awareness training at work be any different? Think ‘Fitbit’ fitness tracker, but for personal security decisions and behaviours.

It’s possible to get this personalised training using behavioural science and data, ensuring people receive information at the right time, tailored to their requirements.

Cyber security training is not a box ticking exercise. It can either deliver bad experiences, or it can deliver good experiences. Good experiences maintain happy and engaged employees. Security training should also give people everything they need to do great things at work without the worry and hassle they might get tripped up by a cybercriminal. Happier people, less worry, better productivity, and more freedom to do good things in an organisation.

Measurement is key. 

Security training needs to provide risk insight and measure behaviour change. How can you influence change if you can’t measure it? Security teams need insights into which elements of their security programme are working, and why. They need a clear understanding of the impact their human cyber risk programmes bring.

Just being aware of cyber threats isn’t enough. Genuine behavioural change is required, and it needs to be measured. By doing this, employees will be equipped with the tools and confidence to protect themselves and their organisations.

Decision makers will value you for implementing risk reduction strategies.

Build a security culture. 

To reduce human cyber risk, security awareness training must go beyond raising awareness. Focus on changing behaviour and building a better culture of security. Organisations unable to measure cultural alignment with organisational goals will lack a key component in the risk strategy. Understanding, measuring, and improving culture remains a time consuming and difficult challenge. But it’s an integral part of understanding an organisation’s overall risk profile. Without this, it’s possible for an individual to know what to do, to hold a positive attitude towards security and still behave in an insecure manner thanks to a corrosive culture of mistrust, individualism.

There is also no perfect recipe for security culture. An organisation in the United Kingdom will most likely differ from one in the United States. In a similar vein, an organisation within the legal sector will differ greatly from an organisation within the healthcare sector. Nevertheless, there are tactics that all organisations can do to help improve security culture. If culture is specific to an organisation, then how do you measure cyber security culture consistently across-and-within organisations?

Scrap the ‘blame game’ culture. 

These measures can only be successful if organisations are willing to stop blaming people for cyber security failures. Security professionals must stop viewing their employees as the organisation’s weakest link. They are not. If anything, people are standing on the front line against cyber attacks, and they must be provided with the best tools to defend against them.

To help employees, security professionals should influence a supportive and positive culture. Positive environments keep employees engaged, responsive and more inclined to raise any concerns. Throw tailored goals with metrics into the mix, and organisations will find themselves with a security awareness programme that can bring about genuine behavioural change.