Why it’s Time to Re-evaluate Your Approach to Cybersecurity Training
Richard Cassidy, Sr Director Security Strategy at Exabeam, discusses the critical role of training in effective cybersecurity and why it's time to move past the traditional classroom approach if businesses want to maximise staff engagement.
When it comes to effective cybersecurity training, it's clear (just look at breach data statistics this past 3 months alone!) that the industry has been getting it very wrong. Why is it proving to be so difficult to get right; surely a vigilant, knowledgeable workforce is by far the most valuable asset in any business' defence strategy. Undoubtedly, the vast majority of cyber-attacks still rely on traditional social engineering and phishing techniques to infiltrate target systems - techniques that well trained staff can easily spot and avoid/flag. So what needs to change, how do we build a corporate culture around our cybersecurity needs, and more importantly, how do we better equip our teams in a new era of cyberwarfare?
Unfortunately, in recent years the value of cybersecurity training has been eroded, with many businesses demoting it to a half-day, classroom-based activity every 6-12 months, done for compliance reasons rather than actual security purposes. This mundane approach does little to engage staff in a meaningful way on the importance of cybersecurity, turning it into something of a self-defeating tick-box exercise, rather than the potent tool it can be.
The Need for Robust Cybersecurity is Higher Than Ever
In the current business landscape, with record numbers of people working from home, the need for alert, cyber aware staff is higher than ever before. Not only are new cyber threats emerging all the time, but home working environments are notoriously full of distractions, making momentary lapses in judgement more likely if people don't have security top of mind and know what to look out for. We're all on the frontlines of this new global cyber war and it's high time we transformed our training practices to meet this new challenge.
Furthermore, data is playing a bigger and bigger role in modern business, meaning the consequences of a data breach, even a small one, could be severe. Reputational damage, loss of customer confidence and major regulatory fines can all prove fatal to a business's long term prospects. Ultimately, businesses need to know they can trust their employees to act appropriately, regardless of when, where and how they are working.
Learning from Other Sectors and Industries
The role of cybersecurity training is not just to educate staff on what to look out for, but also to gain their buy-in on why it's so important, both for the business and for them as individuals. Doing so requires a training approach that goes beyond uninspiring videos and PowerPoint presentations, and engages with them on a more relatable level.
A great way to understand this is better is reviewing the way training is handled in other industries, such as the medical sector, where poor decision making can be the difference between life and death. For instance, the NHS uses situation-based scenarios to help trainees understand the real-world consequences of decisions they make, showing them the entire journey and the importance of their contribution (or not) further down the chain. This approach gives trainees a much better appreciation for the entire circle of ownership, resulting in better questions being asked when it matters and better outcomes gained as a result.
Translating Best Training Practices to the Corporate World
Studying best practice from other industries can help businesses modify their own training programmes in ways that help staff better understand their responsibilities when it comes to data protection and security (and the ramifications of what can happen when they don't).
Of course, cybersecurity is rarely a case of life and death (although a recent attack on Dusseldorf hospital proves it can be). However, as mentioned earlier, it doesn't mean the consequences can't be severe. For example, if an employee carelessly opens an infected file in a phishing email that leads to a cyber-attack, the subsequent fines or reputational damage could negatively impact sales, forcing the company into cost cutting measures such as promotion freezes, salary cuts or even job losses. While this may be on the extreme end of the scale, people tend to exercise far greater levels of caution when they know a mistake has the potential to put their job, or even the entire organisation, on the line.
Another great way to make security training more engaging and exciting is through the introduction of red team exercises that test employee skills and awareness in real-world environments. Staff can either be notified beforehand, or kept in the dark for the ultimate test. Similar to situation-based training, the aim isn't to publicly berate anyone who accidentally opens an infected file, but rather to help keep security top of mind and make people aware of the impact of their actions.
When it Comes to Cybersecurity Training, it Pays to be on the Front Foot
Unfortunately, too many businesses out there are only willing to change their cybersecurity training habits after they've suffered an attack, by which point it is too late. That's because until you've become a victim, it's easy to gloss over its importance, particularly if it costs more money to improve. Better cyber security training does inevitably cost more money, but it is still the most cost effective way to improve security posture. Furthermore, the cost of better training is, and always will be, far lower than the financial and reputational costs of a high profile data breach.
Richard Cassidy, Sr Director Security Strategy EMEA at Exabeam
Richard Cassidy has been consulting to businesses on cyber security strategies and programs for more than 19 years, working across highly regulated industries including finance, insurance, retail, manufacturing, government and military. During his career, Richard has been heavily engaged in the design and implementation of solutions, helping organisations in evolving security, compliance, risk management, data assurance, automation, orchestration & response practices.
Richard's security operations experience includes managing CERT, breach response teams, threat intelligence & hunting teams, as well as teaching customers a practical understanding of how their data and assets are targeted by cyber-criminal groups, driving effective security practices and mitigation strategies.
Combining hands on experience of the technologies and services that have evolved over the past two decades, with a detailed perspective on end user security risks, Richard focuses on helping decision makers define practical security, compliance and data assurance strategies. He is well versed in showing organisations how to better navigate a highly complex and automated threat landscape, in tandem with achieving (and maintaining) regulatory, compliance and data assurance mandates that business leaders face in today's technology landscape.