Cyber Security Awareness : A Collective Responsibility

We’re in what is arguably the most difficult time for security teams the world has ever seen. Are companies and society as a whole doing enough around security training?

We’re in what is arguably the most difficult time for security teams the world has ever seen. There’s a widely accepted work-from-home (WFH) ethos with users accessing networks outside of the four corporate walls we’ve come to trust. Our users are digitally fatigued from back-to-back collaboration calls that last all day for weeks on end. Corporates are opening up to the idea of work from anywhere and they’ve been forced to lay a sense of responsibility at the feet of end-users. With increased demand for full time remote working (and of course, the added pressure from employees supporting this ethos on social media), many organisations have had to embrace this mass change and put risk mitigating processes in place for resulting cyber related risks This lead me to ask myself; are companies and society as a whole doing enough around security training?

My personal opinion is that no, they are not. Most studies find that organisations offer some kind of awareness training. In fact the Mimecast State of Email Security 2021 report found that one in five organisations even do it on an ongoing basis. It’s positive to see that organisations are providing regular training, but by which standard do they conform? What’s the format, is it data driven and is it impactful? What about organisations placing huge investment into training? Does this satisfy the guidance of analysts? Unfortunately, some form of awareness training doesn’t really tell us whether the training that is taking place is even effective.

While many organisations have had to have a conversation with their security leaders about the strategy and execution of an awareness training program, most still exit the boardroom opting for the easiest way of doing it, which typically conforms to an exact audit requirement. I.e., what is the least I can do to achieve compliance? Even if your audit committee is satisfied with the program you’ve delivered and reported on, the worrying reality is that doing it once or twice a year and then stating that users who’ve completed it are now compliant, is worthless. Even if your completions are north of 90%.

I recently spoke with a large multi-national business on this exact challenge. Their completion stats were near perfect (across 200,000+ users), but users were only compelled to do a 60min security training path once every 24 months to achieve compliance. I’m sure you - in your personal capacity or as an employee in a business - would agree that if you had to take a security awareness course once every two years in whatever medium (video, slides, pdf, etc.), you’d complete it as soon as possible, because you’d be left alone for another two years! The problem, however, is that eventually it becomes obvious for the business, that the program is merely an exercise for tick-box compliance. It doesn’t actively get users engaged and behind the security awareness program, which ultimately helps protect both them and your organisation. A near perfect completion record with no tangible and measurable outcome over time (like improved user behaviour), is completely moot.

There is no golden standard of how to run a security awareness program (so don’t let the vendors or analysts bully you). There is merely an outline they create and then conform to. It’s therefore impossible to know if your program has tangible results compared to other companies in your industry, unless of course, 1. They use the same technology or guidance, and 2. That technology or guidance exposes the data anonymously (which they don’t).

I am an immense believer in Security Awareness Training, like I eat, sleep & breathe it. At Mimecast, our research suggests that as our program rolls out to end users, it positively shapes outputs like dangerous clicks and accurately reported emails. Frequent training therefore clearly has benefits for our customers so making it more accessible surely drives the right business objectives. Now if that is the case, why only 1/5? Why do only 20% of businesses undertake frequent training if the outcomes are documented and clear? If all the actions a business can take to protect itself offer a clear outcome, why aren’t the other 80% lining up to get started? Perhaps it’s budgets or resources, but I’d argue that if that is the case, there are plenty of things companies spend money on with a less apparent outcome. Like coffee.

I think companies really want to train their users. I think they really want to see the results. I just don’t think they think it works. The data, however, overwhelmingly suggests the opposite. But if we as a collective security community want to bring about mass change in human behaviour both organisationally and generally, we need to begin implementing strategies that focus on training our people and society in general, whenever they do something online. Knowledge without application borders on being useless. I receive daily emails from various platforms and financial institutions with notifications about recent cybercrime activity and cute icons depicting ‘hackers’ in striped jumpers and eye patches. These are totally ignored and as much as they like to believe their plight in collective mass education works, it doesn’t. On average, mass emails are opened by less than 2% of recipients. What’s more, cute infographics and PDF’s are some of the worst mediums to transfer knowledge because they’re unengaging.

What changes behaviour are gentle, subliminal nudges, that notify, quiz or offer an alternative to a user before something bad happens. Liken this to an analogy about drinking under the influence. ‘App A’ is downloaded on your phone that sends you daily notifications saying, “Driving under the influence is really bad, X many crashes were recorded because of it.” Great. That generic notification is stored in your frontal cortex for 30 seconds before you get up to brush your teeth. But now imagine the more revolutionary ‘App B’ that (if it was technologically possible) tests your breath alcohol level every time you make a phone call. Imagine it then notified you that you’re likely over the limit and - with a single confirmation click - hails you a taxi to get you home safely. We know that driving under the influence is bad (not to mention illegal) yet many of us still see it as acceptable risk. Removing the option of ‘taking the risk’, is what sticks with us, rewiring our reliance on ‘App B’s’ technology to keep us safe.

Where does collective responsibility come into all of this? Subtle changes can drive massive, global impact. Things like changing the term “password” to “passphrase” on websites is one small step. An engaging fly out telling people why it’s important to use passphrases is step 2. I would bet that 3-6 months after this change, the length of characters your customers use in their passwords, will go up by 50%+, and they will most likely be passphrases. Small change, massive impact. The wider collective effort also needs to rally behind the notion of asking basic questions online when completing transactions or logging in, or at the very least, quizzing users to get to the final step. As apprehensive as they may be, they’ll soon realise this is what protects them. What’s more, if they become accustomed to this additional step, they’ll likely stop any action if they don’t see it during checkout or login activity. That process of rewiring us might be arduous, but the impact will be insurmountable. Imagine creating a set of criteria to measure against, and 12 months later, seeing a tangible change across the globe. It would massively shape the way in which millions of users interact with platforms, erring on the side of caution more frequently (and this is multiplied if they receive security training at the office!).

Alas, this won’t work if only 1 or 2, even 10 or 20 organisations go through this rigorous process of change. This would be a global game, but at the same time a global game changer. This game would require all of the top 10,000 most visited shopping websites in the world, top financial institutions in each country, all social media, etc. to step up and be part of this effort. It will take months (maybe even years) to plan and rollout and may receive heaps of apprehension and backlash. But the outcome, will be apparent and the data will undoubtedly tell us we’ve become safer.