Why lack of training can put cybersecurity at risk [Q&A]
One of the effects of the pandemic and the shift to remote and hybrid working has been that organizations have become increasingly reliant on messaging tools like Teams and Slack.
But new research from CybSafe shows that 47 percent of workers have received no training in the use of these platforms and could be putting themselves and their employers at risk.
We spoke to Dr Jason Nurse, director of science and research at CybSafe and associate professor at The University of Kent, to discover more about the role of training in securing organizations.
BN: Are people more likely to indulge in bad security habits if they haven't received proper training?
JN: There is no doubt a correlation between a lack of cybersecurity training and poor security habits. However, security awareness and training shouldn’t be seen as a silver bullet, and can sometimes lead organizations into a false sense of security.
Am I saying training isn't a solution to our cybersecurity issues? Of course not. In any scenario, some training is always preferable to none. People are the first and last line of defense in protecting a company’s data, and organizations should give them the tools to be part of the solution.
What I am saying, though, is we need to consider if asking your people to complete an annual tick box training course will genuinely change behavior. Instead of thinking of poor cyber hygiene as 'bad security habits', we should break them into individual behaviors.
Are you using Multi-Factor Authentication? Are you using personal details in your passwords? Do you use a password manager? Breaking poor habits into specific behaviors can be identified, managed, and improved.
The key to the questions is what we consider 'proper training'. Identifying, measuring, and influencing the specific security behaviors that lead to vulnerabilities will drive considerable change. A good security culture must be positive, targeted, and, most importantly, treated as a value, not a task.
BN: How important is it to involve people at all levels of the organization?
JN: It's essential. I once heard a story of someone giving security awareness training to senior executives, stating that you should never accept memory sticks (a more common feature at the time) from unknown sources, be it a colleague or a stranger. When finishing up, the participants were offered a memory stick on the way out the door. Those who accepted and inserted the hardware into their computer were greeted with a message highlighting their error.
While I believe that incentivisation is a more successful approach than negative reinforcement, this anecdote highlights we are all human. We are all vulnerable, regardless of our position in an organization.
Once upon a time, cyber security was seen as an IT issue. Today, it's a business issue, and an important one at that. The more invested the organization’s leadership is in being secure, the more it will trickle down into the broader workforce through policies and behaviors.
Finally, the more power an individual has in an organization, the more costly a data breach can be. As a result, those who have access to business critical information must know how to protect it correctly.
BN: Training is usually part of an onboarding process, but should it be an ongoing activity?
JN: It makes sense to include cybersecurity as part of the onboarding process, as it is easier to help someone behave securely as they learn rather than changing already entrenched processes. However, expecting a worker to behave securely because they once received training, is like expecting someone to drive from Copenhagen to Madrid without getting lost because you once told them directions.
Different businesses have different security needs. Yet, many businesses have a common reliance on employees being able to recall, remember, or guess security procedures and information! Security awareness and training is not necessarily the most effective method of keeping your organization secure. However, if it suits your business, it should be part of a larger, long-term security strategy. All evidence suggests effective training plans should occur regularly to improve security behaviors long-term.
BN: How can we deliver cybersecurity training and information more effectively?
JN: There are many different ways to address human cyber risk. While each organization should develop solutions that work for its workforce, as previously mentioned, training isn’t necessarily the silver bullet it was once thought to be.
For example, to extend the Copenhagen to Madrid analogy further, today, most people will utilize technology in the form of a sat nav or navigation app to get from A to B. Similarly, organizations can utilize tools that give employees helpful nudges, at the right time, on how to improve specific security behaviors. Whether it’s changing the wifi router password (as you walk through the front door), or checking if a password has been associated with a data breach (as you enter it), security training doesn’t have to be given all at once.
If the ultimate goal is to impact people’s security behavior positively, we must consider how, when, and where to deliver content. For too long, we have focussed solely on the what of cybersecurity. In other words, what information do employees need? Today, we should be learning from a behavioral standpoint. For example, are Slack and Microsoft Teams more effective communication channels than email? And are there certain times in the day in which people are more prone to engage with security content? Do particular communication styles, such as humor, help to increase engagement? And much more! In short, we know what information people need to be secure, but we can better understand how to get it to people, and help them internalize and utilize it.
Recent research from CybSafe found 79 percent of people said they are likely to act on security advice provided on the platforms they use daily, such as Slack and Teams. 90 percent of respondents thought security nudges on instant messaging platforms would be valuable. This compares to around half (53 percent) of workers saying they always engage with employers’ security content sent by email.
People want to be part of the solution. They want to help their organization become secure. It's up to each business to consider how to provide people with the tools that will help them improve.
With data breaches and cyberattacks dominating headlines, it's important to be proactive in keeping business and customer data secure, and treat cybersecurity as a value, not a tick-box exercise.