In its current shape and form, we can safely say that cybersecurity training is less than effective.
Just look at these stats from last year: out of 1,200 employees, more than two-thirds (69%) were trained in cybersecurity best practices, yet 61% failed when taking a basic cybersecurity quiz. Not just that, but also 60% of those who failed the quiz said they felt safe from cyber-threats.
And it’s all over the web. One after another, cybersecurity experts are warning that current cybersecurity training methods are failing everyone, but they can’t really put a pin on the why.
The ‘why’ is because businesses are trying to fit a square into a round hole. They’re not taking context into account, they’re not personalizing threat assessment and training, and as a result – employees’ cyber behavior remains a threat.
The way to step out of the matrix is to adopt a continuous security behavioral change loop.
Before we zoom in to why applying a behavioral change loop approach can help you improve employees’ cyber behavior, let’s first zoom out and understand what CISOs are currently doing wrong.
Why traditional cybersecurity training doesn’t work ?
Covid-19 blew the cover right off of everyone’s cybersecurity knowledge and habits.
Numerous research has shown (see here and here) that as Covid forced organizations into remote working, the number of data breaches and cybersecurity incidents soared.
Businesses moved to protect their assets, their premises, and their employees, enforcing industry-standard defensive measures, such as multi-factor authentication, better password hygiene, and cybersecurity awareness training.
It became quite obvious people were using the same password across countless services and were rarely changing it, that they were reckless with their corporate hardware, that they were mindlessly clicking on links and attachments in their emails, the list goes on.
Consequently, cybersecurity training became a higher priority for companies, which were deploying it left and right. And the results were… underwhelming.
It barely moved the needle. People still fall for phishing emails, they’re still careless with their passwords – they’re still endangering the entire organization. The only thing that changed is – more of them now have a false sense of security.
The problem with the way businesses conduct cybersecurity training is that it lacks context and evaluating each employee’s risk. Age, computer literacy, the position within the firm, cyber behavior, subjectivity to change, those are all things that are unique to each employee, and as such, place people in different spots on the risk threat ladder.
Businesses fail to acknowledge these fundamental differences and try to apply the same training across the board. In other words, one size doesn’t fit all.
As a result, employees lack interest and motivation, and the training ends up being ineffective. Employee behavior ends up more or less the same, and it’s only a matter of time before the next downloaded attachment proves to be ransomware.
Without measuring each individual’s risk potential, CISOs cannot assume that sending security awareness materials to employees will change their behavior.
Or, to be more precise – they can know that it probably won’t.
Furthermore, without assessing the risk, CISOs cannot prioritize actions, such as security training, or controls, to target high-risk employees. The worst part is that businesses are operating in the dark, unaware of their employees’ risky cyber behavior. And without visibility, they can’t properly mitigate the risks.
But even if they had the data, assessed the risk potential for each individual employee, took immediate real-time action, and tailored the training, if they don’t do it all over again, they’ll just get back to square one.
Change your cybersecurity training mindset
See where are we going with this? This is hardly a problem without a solution.
What businesses need to do is adopt a continuous security behavioral change loop, i.e., changing the way someone behaves in a security-related context is an ongoing process rather than a one-time event.
First, ingest data from your security technology stacks (think EDRs, email gateways, web security, etc.) in order to capture employee cyber behavior data.
That will help you create a cyber behavior risk score, which will help understand how often, or how likely, each specific employee is likely to be attacked. As a result, you’ll be able to properly prioritize which employees to address first and what threats.
Emily, for example, is a CFO, which makes her a high-value target, and as such, has a high-risk score. However, Emily has demonstrated safe internet use and avoided clicking links in emails from unknown senders.
Her behavior doesn’t lead to cyberattacks.
On the other hand, Joe is a graphic designer who works from a coffee shop, uses the same password across all his online company’s accounts, and downloaded a file from a suspicious source once. Even though his position within the organization is less interesting to cybercrooks, he has an equally high-risk score due to his cyber behavior.
This is probably a gross understatement, but you can see who an organization should address first.
It’s now also a lot easier to set up automatic training programs based on each employee’s specific risk level. These should be both contextual and triggered-based, to help employees exactly where and when they need it the most.
Then, you should measure the impact of training, re-evaluate employee risk scores, and act accordingly. That could mean delivering more training or changing up the methods if the risk is still high.
For example, if after sending a few educational videos, Joe still hasn’t updated his passwords, don’t send new ones – try with a little interactive content, instead. So, if this training content works best, use it from now on instead of videos.
The key is to repeat the process to ensure employees are aware of the right cyber behaviors and react to high-risk employees.
What you should take away from this
The threat of cyberattacks is here to stay and is evolving. Employee cyber behavior needs to adapt, so CISOs need to treat this as a constant feedback loop that keeps their entire premises protected.
“Change is the end result of all true learning.” ― Leo Buscaglia.
And we’ll add “true learning is continuous.”
