User awareness training isn’t working. It hasn’t worked for a while. There are good reasons for this, and as cybersecurity threats mount, it would be good for security pros to understand them. SecTor sat down with several experts at its tenth annual conference in October 2016 and asked them what was wrong. Here’s what they said:
Mikko Hypponen, chief research officer at F-Secure, spends a lot of time shaking his head over end-user slip-ups (for an example involving a Twitter account and a credit card, see his SecTor 2016 keynote). He argues that half the security problems companies face today come from “people doing stupid stuff”. No doubt. But how well are we training them not to?
Not very well, warns Laura Payne, senior information security advisor at the Bank of Montreal. Many organizations seem to try and create a ‘human shield’ against attackers. She doesn’t believe it’s helpful.
Chris Wysopal, CTO at Veracode, says that we wouldn’t need to train users in security awareness if our computer systems were built to be safe, but they aren’t. We’ve built systems that are insecure, which is why we’re forced to browbeat users into handling them in certain ways.
We don’t need no education
That’s just the problem, indicates Chris Pogue, CISO at Nuix: . Conventional methods don’t work because they didn’t work at school. Lecturing users from the front of a room has the same effect that it did in sixth grade: people switch off. It isn’t linked to real-world activity.
So how can we change that? Cheryl Biswas, cybersecurity consultant for threat intel at KPMG, has some thoughts. Security has to become a cultural issue, which means a cultural change.
That sounds like it needs executive support, and the SANS 2016 Security Awareness Report, bears that out. The report highlights a strong relationship between the level of executive support and the maturity of cybersecurity awareness programs.
Executive support is critical because cultural change is a long-term process. People have to have a stake in cybersecurity all the way from the top to the bottom.
To deliver that value, connect with users, says Brendan O’Connor, principal of Malice Afterthought, who spoke about how to improve relationships between security pros and end-users at SecTor 2016. Instead of simply going through the motions and using security awareness training as a compliance tool, give users some value, he suggests. Explain not only how proper security practices serve the corporation, but also how they serve the users. You can make security awareness training personal and still hit your compliance requirements.
Solomon Sonya, assistant professor of computer science at the USAF Academy, agrees, adding that we need to step away from lecture environments and online courses that people simply click through so that they can get back to work. Make cybersecurity awareness training hands on, he advises. Show people how their data can be stolen. Engage them that way.
There’s another, important way to instil cybersecurity best practice into corporate culture, says Ben Sapiro, senior director of security, privacy and compliance at Vision Critical: make it part of everyday work. Secure measures must be part of a person’s workflow, and a key component in getting the job done, rather than a bolt-on that they will forget to do in time. Doing this doesn’t mean that you should make the work inconvenient, though. Getting this right involves a careful balance.
Companies still think that cybersecurity awareness training is working. 93% of respondents to a SANs financial sector survey listed employee awareness training as one of the most effective controls in protecting their organizations. But according to SecTor’s experts, we could be doing a lot better at it. Perhaps it’s time to shake up our methods.