The social engineering threat to businesses has perhaps never been so severe. The growth of social media, remote working, and personal devices have combined to produce multiple new attack surfaces in companies’ cyber defences. While technical defences are important, they have a negligible effect if compromised by staff actions.
This means a critical part of businesses’ cyber strategies must be to focus on the human facet of security – developing a positive and knowledgeable security culture that is tangibly evident in the behaviours people present, especially when no-one is looking.
Most businesses don’t heed this advice, but even the ones that do often treat the threat inappropriately. There’s a bewildering amount of phishing training currently available, and frankly, its quality and value is variable. In spite of good intentions, for those that do opt for training, staff are still usually phished regularly. Breaches occur. Reputations are damaged.
So what’s going wrong? And what’s the solution?
Despite their questionable effectiveness, “traditional” forms of cyber security training still constitute the majority of programmes: many companies choose to give staff training manuals with the unreasonable expectation that they will act on information, simply because they have read it.
Other companies implement one-off training sessions. These are often long and tiring, and by the end of the day, employees don’t tend to retain much given the level of concentration required.
The content itself often lacks relevance, focusing mostly on the working environment, despite the fact that social engineering attacks can be received anywhere and at any moment, with people working on their phones and tablets. Often, the advice itself is poor – for example, advice to staff that leads to an over-reliance on being able to spot incorrect spelling and grammar. In reality, of course, some scammers can spell properly.
Even when staff are trained, this can sometimes open the door to a ‘blame culture’, and the establishment of punishments for those who struggle to identify phishes. Of course, phishing isn’t always easy to spot, and indeed, punishing staff when they make mistakes doesn’t make them better at phishing; it simply means that they may be less likely to admit to being phished in the future.
A reinvention of the wheel is exactly what’s needed. Staff might be the targets of social engineering and other threats, but they are also, potentially, a company’s biggest shield – if they’re trained in the right way.
Educational theory, behavioural psychology, and cutting-edge tech should form the bedrock of such a reinvention; these disciplines have a lot to offer, not just to cybersecurity training, but to the workplace training as a whole.
As things currently stand, what we know about how people learn, and how businesses go about training staff couldn’t be more polarised. Take Malcolm Knowles’ adult learning theory, for example. It’s based on a few core principles:
- Adults learn independently
- They have experience – a useful springboard for learning
- They value learning that integrates with everyday life
- They are more interested in problem-solving approaches than in subject centred ones
- They are more motivated by internal, rather than external factors
Looking over the central tenets of Knowles’ theory, it’s hard to identify anything that can be found in most ‘modern’ cyber-security training programmes: training is seldom undisruptive to work. Very few programmes offer even the semblance of problem-solving, and fewer still take into account the experiences and prior knowledge of the adults who are being trained.
Knowles is by no means the only educationalist who has been flatly ignored in the cyber-security training space. It’s widely recognised, for example, that allowing individuals to control their rate of learning helps them to learn more effectively, that learning happens best when the instruction is related to real life experiences (Gestalt Theory), and that people learn more deeply from words and pictures, than from only words (the “multimedia principle”).
We know, too, that training should be regular; it’s well-documented within educational psychology that people digest more information in small, regular bites. We know that training should recognise that different people learn in different ways; we know it should embrace modern technologies that enable learning to be personalised – notably, artificial intelligence and machine learning.
Much research has been done into how adults assimilate new information, and how we behave online. Now, it’s a matter of integrating these models into the way that companies train their staff.
By Oz Alashe, CEO & Co-Founder , CybSafe
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/