Managing Risk Through Human Vulnerability with S.A.T.
Staffs are the single greatest resource and hindrance to organizational cybersecurity programs. Their actions can make or break effective cybersecurity. That strange duality is driven by how people think, and threat actors leverage social engineering to take advantage of that.
The best way to address human vulnerability is the same as with securing infrastructure: deploy effective tooling to empower action. When it comes to humans, the best tooling is education and awareness. If someone is empowered to identify and address social engineering attacks, they will do so successfully against complicated attacks potentially missed by the secure email gateway.
In this article, we’ll discuss the value of security awareness training and how to use security awareness training effectively to mitigate cyber threats.
The Value of Security Awareness Training
The value of security awareness training is considerable. Cyber threats can be expensive. According to IBM, the average cost of a data breach worldwide in 2022 was $4.35 million. In the US, that average cost doubles at $9.44 million.
Those costs include direct financial losses, recovery costs, fines and lawsuits, and post-breach remediation work. They do not have the ongoing reputational losses from a major cyberattack and the consequent future loss of business from that.
Training is both cheap and effective. Not only does it help mitigate the potential impacts of a significant cyber event, but it also contributes meaningfully to smooth operations on an ongoing basis. Where an attack can slow computer, database, or application performance, so too can numerous other causes. Training staff to act as an early warning system may provide visibility into infrastructure health that other tools may miss.
Unfortunately, being hit by a cyberattack isn’t a speculative proposition. A majority of companies worldwide have been impacted by ransomware—and that’s just one threat vector. Consequently, it’s a matter of when your business will be impacted by staggering losses, not if it’ll be impacted.
In that light, paying thousands or tens of thousands of dollars for security awareness training to mitigate those losses is a smart investment. Alternatively, security awareness training is one of those tools that can be created internally and work just as effectively as commercially available options. That option simply requires an investment of staff time.
Security awareness training is also the bare minimum most organizations can do to keep themselves safe. In a world where both attackers and litigants are growing increasingly sophisticated, it’s practically reckless not to do something in the training space.
How Training Can Be Effective
Whether you purchase a commercially available training program or develop your own, there are a few things that can improve the efficacy of that training program and safeguard your organization from cyberattacks. This article will highlight some of those. There are more—this list is in no way intended to be exhaustive—but hopefully, it provides food for thought when developing a training program.
Talk to Staff on Their Level
You likely have fantastically qualified line staff. They may be great doctors, nurses, call center staff, engineers, technicians, traders, or other roles. Their greatness is driven by their sophistication and knowledge of the work they do every day.
That doesn’t make them technologists or security experts. In fact, most of them may be technology Luddites. Some of them may even be the kind of person who, in an increasingly technological world, takes pride in their detachment from that modern reality.
For a security awareness program to be successful, you have to cater to that lowest common technological denominator. All your materials must be understandable and approachable to all. If you immediately dive into highly technical concepts in an all-staff annual training, it won’t be well received and, therefore, won’t be effective.
Ensuring the content is intelligible isn’t your only challenge. You also need to make sure it’s engaging.
Keep Content Engaging
Engagement is a critical part of any training. If people don’t care or understand why they need to care, then they won’t. Staff will take the training to check a box, multitask through the training, and won’t remember what they should be looking for when a social engineering attack or cyberattack happens.
One way to keep content engaging is to make the goal relatable. Cite other examples of the extreme side effects of cyberattacks in your organization’s industry. For example, hospitals hit by ransomware reported downtimes averaging three weeks. That’s three weeks of not being able to effectively treat patients, which can lead to harm, whether that’s direct or indirect.
Another way to keep content engaging is to build staff investment in the cause. Staff plays a critical role in addressing cyber threats, and training is key to their ability. Let the staff know that they’re your best and first line of defense.
You can also incentivize desired cyber-awareness behavior. Gamify training and create competitions around good behavior. Reward the most cyber-conscious team or create a bug bounty. Get creative, and the staff will appreciate your recognition.
Along those lines, you’ll also want to positively reinforce good behavior.
Positive reinforcement is a wonderful tool in your security awareness training arsenal. If someone does something that shows good cyber hygiene or awareness, that should be celebrated. The positive actions need to be announced as broadly as the organization supports and other staff shows the quality of both the action and the response.
People love being praised for good work. If other people see the praise, they will emulate the positive behavior and also receive the same praise. Giving that praise has no cost and immense benefits. So if you don’t have the budget for a bug bounty or gifts, you can implement a very effective reward system at no cost to your organization. It’s also the polite and right thing to do.
Another great tool is personalized outreach. People love hearing that they’ve done well from senior management. Executive management likes hearing that their security team is being mindful of the organization.
Both goals can be accomplished by sending out emails to individuals who’ve done noteworthy things to bolster cybersecurity. Those events could include independently validating a request for access to information, reporting network performance issues, or other seemingly simple issues that could quickly escalate if they were an attack and not legitimate.
Praise and outreach also have a few hidden benefits. It identifies the security office to the organization at large, makes the security office a force of positivity, and humanizes the office. By positively reinforcing good behavior, the security office becomes approachable. Where the core message of security awareness training is letting the security office know if something is awry, opening lines of communication to the security office will pay dividends.
Use Current Events
Historical cyberattacks are fascinating and have great staying power. Stuxnet and the original Home Depot and Target breaches are fascinating stories in their own rights. They’re dated, though. There are so many serious recent attacks to highlight that it’s almost inexcusable not to.
The use of current events is critical to highlight that cyberattacks—especially those started by social engineering attacks—are a very real and persistent threat. As highlighted above, using events that are in your organization’s industry also keeps the threat real. If it happened to a competitor, it could happen to your organization.
Highlight Current Attack Modalities
When you address current events in your training, it’s critical to also highlight the mechanics of modern attacks. Phishing, vishing, business email compromise, and other confidence schemes are critical to highlight. In a couple of years, those attack vectors may be replaced by others.
Keeping attack modality education fresh ensures that your workforce has the tools to address modern threats. Your workforce should understand how threats present to a sufficient degree that, with some adaptability, they can identify threats in the field and avoid them.
You’ll want to set clear expectations with staff about their role in security, their responsibilities to report and identify threats, how they report and identify threats, and to what degree they’ll receive organizational support.
That’s not a straightforward proposition. Think about your current organization. Ask yourself the following questions:
Are staff empowered to halt operations for perceived cyber threats?
To what extent can they do that if permitted?
What happens when someone reports a potential cyber threat?
What happens when a call center employee says a potential engineering attack?
What happens if that’s a false positive?
Do staff understand to whom they should report a social engineering or cyber incident?
Do staff feel comfortable reporting that information?
You can ask other questions, but they’re all variations on a theme: to what extent do staff have the ability to report incidents, and what are the consequences for doing so? That’s important. If staff don’t feel comfortable reporting incidents and don’t have the ability to address incidents in real-time, then whatever training happens is immaterial. Staff won’t follow it.
Executive leadership must have a mindset that’s conducive to reporting and acting on events that could be existential threats to many organizations. It’s the security officer’s job to inform executive leadership about that and garner an understanding of organizational mores to that activity.
Once support has been achieved, it’s the security officer’s job to inform staff of that support. That’s a tricky set of communications, and pulling in other departments like the General Counsel’s office, compliance, and marketing may be critical to effectively communicating staff empowerment vis-a-vis security events.
Conduct Regular Training…But Not Too Regular
There’s nothing more disconcerting than unpredictability. If staff doesn’t know when they’ll be trained, the seemingly sudden addition of training can be jarring. Make sure staff understand what your security awareness training schedule is when they should expect to receive training, and by when they must complete the training.
If you’ve incorporated “live fire” phishing training into the mix, where you send sample phishing emails to individuals, then that shouldn’t be predictable. If it’s predictable, people become comfortable and understand what to look for and when. Staff should understand that phishing training is happening at a specific time but not specifically when it happens. By keeping that training unpredictable, you get raw responses to stimuli and can evaluate organizational phishing resilience.
There are many considerations for successfully implementing a security awareness program. Most of them are extra-curricular in that they deal with the organizational support of staff. It’s critical to implement some programs. Not doing so is practically reckless. No matter how the program is implemented, it will address cyber threats.
Successfully addressing those cyber threats requires administrative work. Discussions with executive leadership, identification of relevant analogous competitor attacks, and the development of engaging content are a must. Your work will go beyond just developing or selecting training materials, but that will pay dividends.