The game has changed for employee cyber security awareness training. For most organizations, the reason why they implemented a security awareness training program was to check the box for compliance. It might feel like a win after you pass a compliance audit, but security awareness is an infinite game.
You can’t win in security awareness. You can only build progress towards a better defense.
Balancing security and compliance will never go away; in fact, it just continues to increase with more compliance regulations. With frameworks such as NERC CIP, SOC 2, PCI, HIPAA, NIST, and dozens more, security awareness is a compliance-enforced activity. But just because something falls into a compliance checklist doesn’t mean it needs to be treated that way.
For IT professionals, there is not a CISO, IT Director, or information security leader in this world that doesn’t believe a strong security awareness training program is a critical part of their overall security program especially with the threat of ransomware. Several years ago I would argue that statement wasn’t true.
As an industry to solve the problem of employee security awareness, we responded by quickly implementing technology to check the box for providing some type of training. However, many admins in charge of training ignored their employees instead of listening to their feedback about the training they must take; this feedback is essential to ensure people actually learn in order to defend against a cyber attack.
Not all security awareness training is created equal.
If we continue to make blanket statements that all educational programs are the same, we are going to continue to see a misguided industry. If the feelings of resentment, mistrust, and anger come from employee phishing training, it’s about the tools and approach which is not the purpose.
The wrong mindset about information security training reflects directly on your employees. It’s easy to feel this way when looking at the majority of employees’ feelings towards how useless education being implemented in this field actually is. It feels like a waste of time for everyone involved when you’re just clicking ‘next’ on PowerPoint slides.
Technical controls are extremely important in any great cyber security program, but they’re not the ultimate answer. What do I know, it’s up to the security community to do better than this. Just look at what is happening to organizations across America.
So the water hack came down to a shared password and decade-old Windows software that hasn’t been updated in years. And now, thanks to @williamturton we know that Colonial Pipeline ultimately came down to the lack of multi-factor authentication. What are we doing? https://t.co/uFSdFrydaI— Nicole Perlroth (@nicoleperlroth) June 4, 2021
Diversity in solving security problems
Even if you are solving complex math problems, there is typically more than one way to arrive at the correct solution. So when looking to solve this security problem of developing a comprehensive security awareness program for employees, why aren’t we putting in the thought it deserves instead of just running to an answer?
Over the years, we have uncovered more and more data supporting the fact that employee mistakes ultimately lead to the majority of data breaches which can also result in a series of things such as business email compromise, malware, ransomware… you name it.
We use phishing simulations to train, educate, and make our employees aware of all the diverse problems they may face in real life. Then why would we take the approach that isn’t working? Why are we not thoughtfully understanding the problem? Why do we continue to make our employees upset with the way we push phishing tests on them? Then they end up resenting security instead of embracing it.
Think about it:
- Why don’t we eat the same food every single night?
- Why don’t we watch the exact same movie over and over again?
- Why don’t we all wear the same clothes as each other every single day?
- Why don’t we all live in the same town?
You get it. Humans are diverse people. We have feelings, thoughts, and behaviors that are difficult to understand. But most importantly, we need to be cared for. It’s in our DNA to fight for these basic needs.
So why are we not applying diversity in our phishing simulations and how we teach employees about phishing?
Risk is never eliminated. It’s accepted, mitigated, or transferred. Phishing training and education reduces risk.
A common misconception of phishing tests is to eliminate risk, hoping people don’t click on anything. It’s not, and we definitely don’t advocate for this as a goal here at Curricula. We’re here to help support the community against being steered in the wrong direction in an area that’s clear we all need help in.
This needs to change. We need to understand what we are trying to solve and focus.
How to improve security awareness training
The number one thing is you have to care.
This is all about putting in the effort towards getting employees bought into the idea that security is helpful to them, and not harmful. Although some things may seem like speed bumps to your employees, they’re all meant to be helpful both at work and at home.
All I’m advocating for is that we all need to do better. We can’t just buy software or implement technical controls and expect results. Creating a better ‘why’ for security awareness training involves the security community to work together on understanding the problem from a new angle. We’ve been jumping towards answers with the wrong tools and we need to refresh our security awareness toolkits. We need to create a better why.
While I won’t say our team at Curricula has all the answers, I can assure you we are working to help others find better answers. This problem we are all working together to solve will not go away. Curricula’s attitude towards this issue is focused on endorsing positive behavior change for everyone. We’ve even made a code of ethics to support our position on creating a better security awareness community.
People will always need to learn about new things. Hackers will always come our way. Businesses will always be around. So let’s realize the steps we need to take to do better and work towards finding answers that make a difference with our employees.