The current state of cybersecurity has plenty of issues. Between ransomware denying access to our data and selling data on the dark web, to scammers talking people into transferring large amounts of money to their accounts, it’s pretty obvious things could be going better. Defending against these attacks is tough enough, but when users and cybersecurity leaders start blaming each other for the problems, it quickly becomes even more complicated.

Users blame security or information technology (IT) teams for not having technology in place to stop bad things from happening, security and IT teams blame users for clicking on malicious links and documents. As resentment grows, so does the divide between the users and security and IT staff, creating an unfavorable environment for fixing the issue.

The scope of security blame

This is not a new problem. This has been happening since workplaces started adopting computers for use in day-to-day operations and viruses and bad actors started attacking them. What has changed is the damage being done by these viruses and the bad actors.

No longer does a cyberattack just mean that email servers are overloaded as the virus spreads, now these attacks mean theft of employee and customer data, pilfering of intellectual property, and even using organizational email accounts to run scams, resulting in millions of dollars of loss not only to an organization, but often to their users or vendors.

Educating users in cybersecurity

There was a time when security was the job of a department within the organization, often the IT or a dedicated information security department. However, the roles of users within organizations have grown to where they are the generators of massive amounts of digital information. By being not only consumers of the information, but generators of the information as well, they now have a direct role in protecting that information. Unfortunately, many users are not taught why or how to secure data.

For this reason, security leaders need to help educate users on cybersecurity principles, even if it means starting from the most basic level. Through this education, security professionals can help users understand why it’s not practical to block every website or email that could be malicious, and why the information they create or consume can be valuable to cybercriminals. Cybersecurity leaders can also help them understand that if they click on a malicious link in an email, it could allow bad actors in the system to steal their data and that of coworkers, possibly resulting in their own identity being stolen or in the case of ransomware, the organization being shut down for a week or more. Suddenly, the issue impacts them, making them want to pay attention.

Incident simulations

Simulated tests are another very valuable tool. Security leaders should understand that the purpose of these tests is not to trick users, but to provide more education and experience in a fail-safe environment.

When designing phishing tests, especially early on, the goal is not to make them so hard that nobody spots them. The goal should be to reinforce training and start with easier tests that allow them to be successful, building their confidence and lowering their skepticism.

The tests should be a little challenging without causing ill will from the recipients. Share the successes of the organization as they get better and remember to always keep the messaging positive. Tell them how much they improved and make sure they understand how this helps the whole organization, themselves included. If security teams automatically assign remedial training to clickers, make it short and relevant to the type of phish they fell for, not on an unrelated topic. This makes it much easier for the user to accept. Messaging is a key part of making training successful.

Speaking of ill will, it is important that email phishing campaigns steer clear of topics that can cause harm to the organization. In the past, organizations have sent simulated attacks telling people they are going to be laid off or promising annual bonuses to employees when none exist. While these are tactics that bad actors will use, they don’t need to be used in simulated attacks to teach people the red flags to look out for. In addition, don’t shame individuals, especially in front of coworkers, when they make a mistake — help them improve.

It’s the role of security and IT professionals, as well as security-minded users, to help others make better security decisions and to educate them about the threats and how to protect themselves. Only when interactions with the IT and security teams are not seen as abrasive will security teams be able to bridge the gap between them and the users and really start making positive progress in user behaviors that reduce risk.


This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.