It’s time to rethink cybersecurity training… Again

Cybersecurity training today is much different than it was 10 years ago. In most organizations, we have developed training that is engaging, interactive, even enjoyable at times. Security leaders of yesterday realized that having a once a year, boring, PowerPoint like training that employees had to undergo to check a box was not working. Everyone dreaded that training and that led to skimming the material and clicking through slides, then brute-forcing their way through the answers on the final exam.

What we’ve seen in the past decade is cybersecurity training being changed to be fun, interactive, and even enjoyable.

Keep in mind the following statistics:

When it comes to breaches, 28% involved malware and 32–33% included phishing or social engineering, respectively (2020 Verizon report)
To compliment the above statistic: 94% of malware was delivered by email (2019 Verizon report DBIR)
94% of hacking crime is done via Social Engineering (SafeAtLast)
60% of breach investigation attribute social engineering as the conduit to initial point of entry (TrustWave)
95% of organizations polled delivered phishing training in 2020 (Proofpoint’s State of the Phish 2020 Report)

What does this tell us? Despite the fancy, new, fun, and innovative cyber training, people are still clicking links. They are still not recognizing security threats. It’s time to adapt the training again.

Cybersecurity training has been simplified and de-mystified so much to make it fun and appealing that we’ve, in many cases overcompensated. I’m talking cyber training that depicts the ‘bad guys’ as monsters, the data as classified troves of passwords and social security numbers, and emails sent for phishing as being sent from a foreign country, misspelled, and detectable by most people during a busy workday.

Employees are goners if that is what they think social attack threats are and the cybersecurity training’s purpose is to give them a fighting chance.

As we think about adapting our cybersecurity training to be more realistic, applicable, and effective, what are some things you should definitely keep and what are some things you should lose in your current security training?

Accountability: There should be clear expectations, reporting pathways, and accountability statements about what is expected of them in the incident reporting and response cycle.
Frequency: Good cybersecurity training program should be conducted multiple times a year. The true number per year might take some experimentation, and it might be different per department. Finance professionals might need to take training quarterly while employees in sales, may get away with twice a year. Don’t feel like you are overburdening your employees with this training, it is absolutely necessary.
Applicable: Security training needs to spell out threats, components of an attack, how your company deals with those things, and all of the reasons why. It does not have to be a cartoon gameshow that you put on because you want it to be fun. Get to the point, don’t sugarcoat terminology when you can, and make it real.
Input from security professionals: If there has ever been a true {necessary} enemy to real, raw writing, it’s the editing and marketing aspect. While it is necessary to get your training looked at by other teams that can make it look nice – too much of this good thing is a bad thing. Lean hard on your security team and, if needed, hire an outside consultant to develop a large majority of your content. Prevent unnecessary changes to verbiage and include some threats tailored specially to security incidents that your company has experienced - even if they were not successful.
Call to action: Like any good speech, a call to action is a necessary and powerful piece of this training. Ensure that your employees feel empowered to report, knowing well that they have your support as well as the support of the security team with any reporting. Yes, your employees will report potentially silly things that they ‘just had a bad feeling about’. Encourage over-reporting and for repeat offenders, give personalized training to without ever making it a bad thing. We have to make tattle-telling a good thing.

If your cybersecurity training is depicting big bad monsters, big large databases being exfiltrated, or weird looking emails that are easily detectable (even when your employees might receive 100 of emails a day) – think again. Training should be short, frequent, realistic, and altogether focused on the threats that target your organization most.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.

Samuel Cameron is the Team Lead for Cisco System’s Managed Security Service - Active Threat Analytics (ATA) near Raleigh, North Carolina. He has an experienced background in security operations, network engineering, threat intelligence, and automating the boring stuff. He is also an MBA candidate through North Carolina State University and an Advisory Board Member for the Town of Wake Forest, where he lives with his wife and daughter.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.