Why cybersecurity training needs to change

Employees continue to pose one of the biggest threats to IT security. So why do organizations persist with training methods that don’t work?

 min read

For all the headlines around state-sponsored actors and hacker groups, organizations are just as likely to be vulnerable from within. A recent survey of executives across North America, Europe and Asia Pacific found that almost three in five believe that their own employees present more of a danger to security than cyber-criminals.

They are right to be concerned. The latest edition of IBM’s influential Cyber Security Intelligence Index Report found that human error was a major contributing cause in 95% of all breaches. 

You don’t have to search far for the examples. In January 2020, the logins of two employees of the hotel chain Marriott were used by attackers to access 5.2 million guest records. More recently, the Colonial Pipeline ransomware attack in the US, which resulted in gasoline shortages across the country, only needed the password of one employee to spark the plan into action. Such stories are becoming more and more common. 

Most of the time, employees are negligent rather than malicious. Counterintuitively, this presents more of a challenge for InfoSec teams. Unless there is something seriously wrong with your culture, then deliberate security breaches from within should be rare, predictable, and so avoidable. But everyone is capable of an inadvertent lapse—a weak password, using the same password for multiple applications, sharing sensitive information, sending data across unsecured networks, downloading email attachments, and even misplacing physical hardware are some common mistakes. And these are more likely to happen now that many more of us are working from home. Policing thousands of employees, in as many locations, around the clock, is easier said than done.

Many InfoSec teams will prioritize security software and systems, such as firewalls, Security Access Service Edge (SASE) solutions, and security operations platforms. These are critical ingredients of a mature security posture. But they do not treat the source of an employee-led threat. Education does. 


Employees are not the same

SecOps may be tempted to take a broad brush approach, and mandate security training for everyone. But even basic training has a lot to cover. Core topics would need to include how to generate and store login credentials, how to identify phishing attacks, how to secure a mobile device, social media safety, spotting social engineering scams, and using public Wi-Fi. Cover each too lightly, and employees may not understand the full scope of their responsibilities. Go too deep, and training courses become long, intrusive and so ineffectual. 

A better approach is to recognize that information security is fundamentally about people; and that people are not the same. Employees will have different levels of motivation, understanding of risks, access to information, and behaviors. The more you can tailor security training at an individual level, the more likely it’ll be effective. 

That raises the question of how to get these insights? Employee surveys only work if everyone answers truthfully. That rarely happens, especially when you’re asking people to admit their mistakes and weaknesses. 


Observing is not training

Monitoring software may be the answer, but comes with a lot of considerations. For starters, there are all sorts of legal and ethical issues with tracking an employee’s online activity; and most international regulations (notably GDPR in the EU) are moving towards siding with the individual versus the organization. Get over that hurdle, and you need to know every device and network that every employee is working on, which has been made more challenging since the great exodus from the office took place. And culturally it can be a tough sell, with implications for trust and independence, which can easily stall innovation and productivity. Being able to follow up on findings may not be straightforward either. Having a conversation with a naive junior employee is one thing; but when one survey suggests that 78% of directors have intentionally shared data against their company’s policy, the ramifications go beyond security.

All the while, little education is happening. Observation on its own only identifies that a problem exists. Without the remedial follow-up, it quickly becomes an exercise in finger pointing. 


Monitor AND educate

What organizations really need is security software that can monitor employees (legally and subtly) while educating them at the time. A new breed of tools, such as Metomic, are designed to do exactly that. By integrating with everyday software, such as Slack, Zendesk and Salesforce, employees receive alerts that are specific to the actions they are taking. Not only do these prompts stop risky behavior in its tracks; it also makes it less likely that the employee will make the same mistake again. Cyber threats are an everyday danger. So cybersecurity training should be too. 

This approach takes IT and data security out of the training room and into everyday business. It is like the airline pilot who has ace’d the simulator, only to find that flying the real thing is a different challenge entirely. In other words, security training should not be measured by employee participation in a program, but by actual improvements in behavior. And also where improvements aren’t being made. That helps to identify serial offenders, or applications where compliance is low, which may point to inherent security flaws or the way that employees engage with it. (Some scale-ups used Metomic to do just this.)

Those organizations that grasp the opportunity to truly modernize their cybersecurity training—so that it is employee specific, continuous, unobtrusive and measurable—understand that the prize is not simply better security, but happier employees.


Get in touch today for a chat with our team and a demo of our product.

Subscribe to our newsletter now!

Thanks for joining our newsletter.
Oops! Something went wrong.