Ticking boxes and taking names?

When it comes to security awareness training, are companies choosing compliance over security? By now, with the numerous high-profile data breaches and all-things-cyber dominating the news cycles, most employees understand that cyberattacks are a real threat. Yet, the average security awareness training programs are lagging, typified by ill-attempted compliance tick-the-box initiatives that waste time and resources. According to Gartner research, more than $1.2B has been spent on computer-based training since 2015, and simulated phishing click-rates have dropped just 1% from 2017 to 2018. This present-day gap calls for a different approach.

Preying on the human side of cyber

With the acceleration of cloud technologies and the accessibility to the internet, cybercriminals have refocused their strategy. Back in the day, to breach a system an attacker would scan the open web presence, spot a web vulnerability, and take over the server. SysAdmins stood a chance because they must know their craft, but now attackers can specifically target who they believe to be the “weakest link” employee.

Phishers and social engineers prey on human error. Social engineering attacks like spear phishing and business email compromise are successful because they use psychological manipulation to trick users into making security mistakes or giving away sensitive information. If the scammer can gain the recipient’s confidence and trust, then the attacker can swiftly extract information, commit fraud, or gain system access. Encompassing a broad range of malicious activities, social engineering attacks are worth keeping an eye on to monitor your company’s vulnerabilities.

Where are the gaps with the typical security awareness training program?

Currently, most training programs include the following areas in both an individual, on-demand or group, classroom style setting: a brief overview of threat types like malware and phishing, password policies, 2FA, web and email protection, and generic preventive measures. “Spot the phish” phishing simulation exercises are more interactive, but are rarely tailored, making them ineffective when it comes to spotting real-life phishing attempts. Quarterly security awareness training is usually focused on physical protection (no tailgating, don’t lose your laptop) and best practices (password length, spotting account impersonation).

While security awareness training does play a role in an organization’s security measures, employee mobility and turnover creates challenges in effective training programs that safeguard employee and customer information. Consider the example of Hersha Hospitality Management, like the rest of the hospitality industry, has a volatile, often seasonal employee base.

Hersha’s VP of IT Jason Shane says, “Ensuring new employees adhere to our rigorous security standards is a tedious process, particularly as new threats emerge daily.”

Shane and his team decided to redefine security awareness training by turning to context-based learning–training employees in the exact moment of risk.

Creating a security culture not human firewalls

Providing employees with security training can do only so much. Preemptively “phishing” your own employees with simulated attack emails and educating those who click on links with a training video is an outdated approach that doesn’t meaningfully increase cyber resilience. Instead, it positions the IT security team as an agitator and source of humiliation for some employees.

Rather than trying to shame and then coach employees, IT leaders should look to create a frictionless information security strategy—one that is natively integrated into the workflows of ordinary users and that complements rather than conflicts with technology-centric security investments.

We know already that we can’t rely solely on blocking technology to protect our organizations–that’s why user awareness training programs exist in the first place. But that doesn’t mean that threat detection has no place in security awareness training. Beyond filtering out the obviously bad material, sophisticated threat detection can bolster the human firewall by identifying suspicious email and, more importantly, providing users the context into understanding why it was suspicious. Ultimately, effectively securing email requires a fundamental shift in the way you think about mitigating risk.

What do we need to better understand if we want to get better security results?

We need to strip away the buzzwords and ask: How do we create force multipliers in cybersecurity? Integrating user awareness training into other core components of your defense strategy, specifically business processes and technology. The threat surface is growing, and cybercriminals are becoming more sophisticated. They’re utilizing threat tactics that have made it increasingly difficult for organizations to protect themselves at scale. Cybercriminals are putting pressure on businesses by increasing the volume of these kinds of targeted attacks, dramatically outpacing even the world’s largest security teams’ ability to keep up.

Visibility is sadly lacking within most of today’s organizations, and it’s unrealistic for security teams to secure something they can’t see. There’s no tool or widget that can totally fix this and make everything safe. But we can get to a point where we could construct a security program that reduces risk in a demonstrable way. We can establish metrics for where your risk profile is today. With automation tools, security leaders can help their teams more efficiently manage the overwhelming number of alerts and potential vulnerabilities they face daily. Programmatically remediating low-level threats enables staff to prioritize investigation of critical threats that require human judgement.

What do security leaders need to do to start this journey?

The first step is to recognize: Employees with good intentions can make poor decisions. This is true no matter how well informed. Social status, time constraints, and urgency increase psychological pressure to respond to seemingly legitimate requests for which training users is insufficient.

Often, the challenge for security is that of time. Given infinite resources, all attacks are addressable. The reality of inbound threat exceeds capacity for most enterprises. So, security leaders need to use technology to ease the burden on IT teams while also looking for ways to further reduce risk for employees. Security leaders should look through their cybersecurity policies closely to see if there are areas that are either overly manual (i.e. reviewing all emails with threat characteristics) or take up a lot of time with little value to the overall business.

Watch our on-demand webinar with Infosecurity Magazine on How to Assess Phishing Awareness & Evaluate Simulation Alternatives!