A 2017 survey revealed 52% of organisations’ cyber security budgets are increasing, with 23% of the increases dedicated to training.
Together, the stats seem to suggest that somewhere, somehow cyber security training is failing. Where exactly might we be going wrong?
1. Ignoring the cyber security of our supply chains
In 2013, the US organisation Target was the primary victim of a high-profile cyber attack.
As a retail giant with annual revenues topping $70bn, Target took cyber security seriously.
Their air conditioning supplier, however, became infected with malware via a simple phishing scam. And once hackers had access to Target’s supplier, they had access to Target.
Over the course of two weeks in November, Target fed the financial details of 40 million of their customers into the hands of cyber criminals. Costs of the breach have been estimated as between $420m and $1bn.
Almost 4 years on, CybSafe’s Inaugural Supplier Security Study found 1 in 7 SME suppliers implement no cyber security controls whatsoever.
2. Failing to update training in response to new threats
In the 2011 book Adapt, Tim Harford retraces the fortunes of the world’s 100 largest companies as of 1912. Of the 100 considered, over half failed to make it to the 21st century.
The companies were the equivalent of today’s Googles and Apples – giants whose failure seems implausible. But, as the book’s title suggests, failing to adapt soon causes problems.
There’s a lesson in the story for cyber security training. Cyber scams have evolved considerably from the days of Nigerian princes and we can expect further evolutions as time goes on.
Cyber security training cannot remain static. It must update over time, in as close to real-time as is safe and possible.
3. Failing to change people’s behaviour
Neither assuring your supply chain nor constantly updating training are going to make any difference whatsoever if cyber security training fails to change people’s behaviour.
In our opinion, training that fails to change people’s behaviour is the single biggest mistake being made with cyber security training in its current form. An absence of behavioural change explains why people are able to ace a cyber security quiz on the Friday then wire money to a scammer on Monday. Even more frustrating is the fact training that demonstrably changes behaviour now exists.
Such training typically draws on learnings from psychology and behavioural science to ensure people remain vigilant both in and out of classrooms. Crucial to its efficacy is ongoing feedback on individual cyber security performance, which can be provided via simulated attacks and automatically tracked performance metrics.
With things like simulated attacks, cyber security training doesn’t end the moment someone passes a quiz. Instead, simulated attacks bring training into the workplace, nudging people to behave in a cyber secure manner.
As time goes on, it seems certain that more and more information security officers will begin demanding training that changes behaviour. After all, companies are upping their investment in training to cull breaches.
Training that fails to change behaviour simply does not align with their goals.