It’s increasingly a given that organisations will adopt some form of awareness training as part of their cyber security programmes. The quality and approach can vary significantly, from a basic set of PowerPoint slides to in-depth eLearning, videos, and full-blown phishing simulations. While there remain opportunities for MSPs to sell through some of these solutions, they are increasingly becoming commodified, and, worse, are limited in their effectiveness.
End-user security awareness is critical, although there are limitations in some of the more common approaches, including eLearning and phishing simulations. There may be a set of alternative approaches, however, based on behavioural change theory and risk-based guidance that could prove just as effective.
Why security awareness?
According to some insurers, 90% of cyber-attacks start with the human user, from social engineering and phishing attempts to lost USBs and poor passwords. Technical controls, however advanced, can never promise to be 100% effective, and individuals are often enough the last line of defence.
Organisations, furthermore, are often subject to regulations or certification requirements that insist on staff training and awareness. Sadly, many have come to see this process as a box-ticking exercise to meet compliance needs, rather than the critical defensive tool it can and needs to be. Critically, security awareness done the right way can reduce operational risk and empowers staff to protect themselves.
We pursue awareness, of course, in order to engage. Ticking a compliance box is part of the process although reducing risk should be the key driver, and engagement is critical to delivering on the aim. Beyond engagement, the goal must be to secure behaviour change, installing a set of behaviours in staff where they naturally act securely day by day.
The trouble with eLearning
The classic eLearning approach involves logging into a website, being presented with some content on a topic including text, videos and animations, followed by an examination at the end. It’s a system designed to cater for training scenarios where the recipient wants to be trained, and the surge in online courses demonstrates that this can be very effective.
Security awareness is a very different use case, however, and too often awareness campaigns morph into delivering ‘mandatory’ training. This is a form of enforced learning that’s infrequent, overly complex, either boring or patronising and quickly forgotten.
Awareness can also be too compliance and policy-focused, and involve too many subjects at once. Moreover, it’s often too technical for staff who have a modest level of technical knowledge. More fundamentally, traditional eLearning often isn’t in tune with the way people actually learn, behave, and use their IT on a day-to-day basis.
Picking apart phish-test-train
A popular alternative is training at the point of failure, with phish-test-train. This method involves sending staff a spoof ‘phishing’ email, and then providing training if they click on the link and/or input personal information. Although common, phish-test-train does have drawbacks, namely that the UK’s National Cyber Security Centre (NCSC) has raised a note of caution about phishing tests.
Whilst such tests can be useful to set a baseline, they’re hugely variable and the approach can lead to feelings of embarrassment among staff. Recent research, moreover, highlights that people do not learn well at the point of failure because our egos don’t allow it. Of greater concern is the idea of introducing “consequences” for failure, which goes against the ideal security culture; one in which staff may report anything suspicious, and feel safe to report mistakes they’ve made too. Without this culture, incidents can be brushed under the carpet, and vital time can be lost in an incident response situation.
The best training might be delivered little and often
We feel Mandatory eLearning is ineffective, too infrequent and out of kilter with the way people actually learn. We also don’t believe teaching at the point of failure with phish-test-train is an effective mechanism, and it may even build barriers to engagement. MSPs, therefore, must look at alternative methods when it comes to delivering security guidance to their customers.
Leading academics in behaviour change tend to agree on three main requirements for change to happen. Subjects, first, must be willing or motivated to change, and secondly, they must be able to change. Finally, they need some sort of cue - a timely reminder - to avoid the old behaviour or to start a new behaviour. It’s not enough to simply jump on the behaviour change bandwagon and continue to deliver what is, in effect, more focused eLearning.
The next generation of security awareness is about a persistent drip-feed of knowledge and awareness. This may take the form of a minute here, 30 seconds there, spread evenly throughout the year. These bite-sized reminders and updates will amount to engaging, short, personally relevant and actionable security guidance to keep threats and secure behaviours front-and-centre.
We can take this one step further and deliver guidance “at the point of risk” using an approach designed to make security part of the user’s every-day use of technology, as well as part of an organisation’s security culture. To achieve this, guidance must be delivered in context - for example, when users plug in a USB, click a link, or are about to set a password. If we can deliver the right guidance, at the right time, by shifting away from classic ‘security awareness’, we can move people away from insecure behaviour and deliver secure behaviour change.
Tim Ward is CEO and co-founder of Think Cyber Security Ltd
