In this article ITC’s Malcolm Taylor, considers the core areas of cyber security awareness training.
Mark Twain famously said, “Training is everything. The peach was once a bitter almond; cauliflower is nothing but cabbage with a college education.” However flippant these remarks may seem, with businesses today facing ever-increasing threats of cyber hacks and data breaches, his words have gained a new relevance.
Cyber attackers don’t tend to like the real world. Not, as might be stereotyped, because they haven’t left their bedrooms since their mid-teens, but rather because this is where they come up against real people with real decisions to make – decisions which will determine whether their attack succeeds or not.
Some cyber-attacks get past even the best technical defences – that’s obvious, otherwise the problem would have been solved by now – and it’s at this point the actions of the user (the real person) are critical. If they make the right decision, they will thwart the attack. No wonder then, that cyber attackers don’t like the real world; it’s almost completely out of their control.
Having said all that, it remains the case that over 90% of cyber-attacks rely for their success on someone (that real person again) inside an organisation unwittingly helping the attackers.
All organisations (all successful ones anyway) train their staff. In HR, health and safety, production, finance and, of course, the use of the IT upon which they invariably rely. Very few, however, train them how to use their IT securely. This is despite the growing body of research which clearly shows that companies who train their staff in this way suffer fewer, and less damaging, cyber-attacks.
But where for years the real world has given attackers an effective free pass, it’s beginning at last to fight back; cyber security awareness training is now available, affordable and (when done right) effective.
Cyber security awareness training is sometimes – uncomfortably – referred to as a way of creating the “human firewall”. Clunky as that may be, it makes the point. The staff of an organisation can be either a part of the problem or a part of the solution; when deciding whether or not to provide this training, an organisation is making this binary choice. It really is that simple.
The decision to provide cyber security awareness training seems straightforward then, and once made it is simply a matter of selecting the training required. There are various delivery methods available, and a number of key components from which to choose. Training methods are largely a matter of compatibility – it would be futile to attempt a classroom-based approach for an organisation of thousands of people dispersed around the globe, for example. Likewise a company of a couple of hundred staff in a single location may not consider an e-learning package a good fit for them. Hybrid solutions are common – perhaps e-learning for many, with tailored face-to-face packages for those deemed in the most at-risk roles such as finance or those who deal with PII or the most sensitive company data.
Perhaps more important than the method of delivery – they can all work well in the right environment – is the selection of areas to be covered. Training budgets are necessarily finite and organisations will always aim for the best return on their investment. To help with the decision-making I’ve detailed the areas I consider core:
Passwords. Call me predictable, but password security is fundamental and remains a key area of weakness. The internet works only through authentication – we have to prove who we are, remotely, every time we log on. The most common means of achieving this is still via a password; every user’s password should be sacrosanct – but very often it is not. All training should cover password security. It should teach how to choose, and crucially remember, secure passwords (for each account).
Phishing. Over 90% of attacks rely on this technique at some point in their lifecycle. Most people have heard of phishing and almost everyone can identify the very worst attempts at it – perhaps still the “Nigerian” 419 fraud (with apologies to Nigeria which is no more responsible for this phenomenon than anywhere else on earth). But good phishing emails succeed; how to identify, check and (crucially) what to do when you find such an email, is a none-negotiable component of good training. Trained staff get phished less often, period.
Social media. This is perhaps a little less predictable (but in my view barely less important). Social media is one of the attackers’ tools of choice. It is effectively their intelligence collection platform. Attackers research their targets and so design attacks which are much more likely to succeed, and they do this by using the information we choose to give them. The safe use of social media is (or should be) a fundamental part of good cyber security awareness training.
Digital footprint. Closely aligned to social media, this is about the information we leave behind. It’s overt – postings, musings, comments on others’ posts but it’s also sometimes much less obvious. For example, location services – where have you been, for how long and with whom? Data sharing, too; of the free Apps on your phone, how many are harvesting your data? Some, for sure – and you allowed it when you accepted (without reading) their terms. If the App is free, you are the commodity.
Safe browsing. The internet is such an integral part of our lives that we use it without a thought. But bad websites exist – by accident or design. Malware can be spread, otherwise safe websites spoofed, credentials (passwords and user names) harvested and used for fraud or sold. Good cyber awareness training should include the safe use of the internet.
Removeable media. This is also an area of weakness where simple training is effective. USBs and all removeable hardware can be an attack vector – and so how they are used either leads to or prevents attacks. The Stuxnet virus, for those still unsure, was delivered to the heart of the Iranian nuclear programme via an infected USB.
These are my core areas for good cyber security awareness training. Ideally the training should be iterative – it’s not a course on day two of induction and the problem is solved. People need on-going engagement and commitment. A basic course should be backed up by refresher sessions (perhaps phishing campaigns where the staff of an organisation are safely phished by their training provider) and on-going reminders of important issues (possibly through poster campaigns or similar).
Good cyber security awareness training doesn’t only teach, it creates a security culture. And, as I’ve said already, companies that invest in training and develop such a culture, suffer fewer and less damaging cyber-attacks.