Cyber education started roughly 30 years ago as a technical area for IT professionals, but as technology and the internet expanded, the need for training shifted from the elite few to all employees using computers and accessing files. In the last decade, cyber education shifted to Learning Management System (LMS) driven training with an emphasis on phishing. But despite this, breaches are still on the rise with phishing attacks accounting “for more than 80% of reported security incidents.”
Why Phishing Tests Don’t Work
As phishing grew in its complexity and frequency, new companies emerged offering to “phish” an organization’s employees. The primary reason given for this type of trickery was to “test” the employee. The belief was that by phishing an employee, organizations could somehow prevent employees from falling for real world phishing attacks.
But phishing is not a static form of attack. There are millions of different variations of phishing. Criminals try different messages and change them daily to see what works. A skilled individual could achieve an 80% click rate on a phishing email just by knowing a few key things about an organization.
Phishing an employee as a form of training doesn’t work. Not only is it too narrow—often covering only one specific type of email—it doesn’t equip the employee with the skills to spot new attacks. Worse, it is a punitive approach that leaves employees nervous and sometimes numb. If it creates any behavior change, it’s not the kind an organization really wants.
New Technology, New Training—Enduring Wisdom
Traditional cybersecurity training can be individual or LMS-based and generally hinges on a 30- to 60-minute session of basic training once a year. There will be some visual reminders taking the form of emails or posters during the year. But regardless of the minor variations, traditional training doesn’t work. Both content and delivery need to be agile and updated to remain relevant with the constantly changing cybersecurity landscape. New approaches to cybersecurity awareness training include a shift to mobile devices, a daily or weekly cadence, team and department interactions, leaderboards that spur friendly competition, specific industry relevant content, and shorter training called microlearning.
Training that is built around microlearning is remembered. It was Hermann Ebbinghaus’ pioneering research in the late 1800s that “discovered that without any reinforcement or connections to prior knowledge, information is quickly forgotten—roughly 56% in one hour, 66% after a day, and 75% after six days.” To increase retention, it is essential to make as many connections as possible and repeat the information. An hour of training—or worse: longer—once a year, isn’t how people learn and retain information. People learn from continual review and building concept upon concept Just like one doesn’t go to the gym once a year to keep muscles fit, the mind is a muscle. Exercise and train daily in small doses to maintain and improve performance. Those daily sessions are microlearning—this is how the mind works best.
Cybersecurity education is the number one way that organizations can help prevent cybercrime. According to a CybSafe analysis of data from the UK Information Commissioner’s Office, 90% of breaches can be traced to human error.(4) Whether it is the network configuration or inadequate training of an end-user, people are what make an organization vulnerable or strong. Here are 5 ways to help your organization fight cybercrime:
- Train Employees Frequently. Organizations give time to what matters. Understanding the importance of a message reinforces it. Remind employees often what behaviors are truly important. Remember also that people learn in different ways. Hearing a message in various formats helps learners absorb and access information better.
- Password Management. Passwords are literally the keys to the kingdom. Provide password management solutions for managers to keep track of passwords and shift away from Post-it notes hidden near the computer screen.
- Frequent Patching. Updating software is a critical function of closing vulnerability holes. Known vulnerabilities are attacked by criminals on a daily basis. “60% of breaches involved vulnerabilities for which a patch was available but not applied.” Update and patch regularly.(5)
- Remote Workers. Provide VPNs and firewalls for more secure access to sensitive data. Don’t assume employees have correctly set up routers or follow secure WiFi protocols at home. Make sure they have guidance that will keep the company’s information secure when working from home.
- Backups. Backup your system and critical information regularly. Keep these backups secure and separate from your network. Ransomware is getting trickier and more aggressive—but having important data backed up gives peace of mind and helps with both prevention and recovery when it comes to ransomware attacks.
Cyberattacks shift and evolve. Training has to keep up. Although cyber education has been around for almost 30 years, it has just begun. Cybersecurity education is here to stay and will continue to get better and more tailored to the individual and organization’s needs. So, train, train often, and train efficiently.