Cybersecurity Awareness Must Move from Attendance to Understanding

Let’s be honest, we have a love-hate relationship with security awareness. For employees, it is a necessary evil, a chunk of time they will never get back in return for little enlightenment. For the security teams, it’s an expectation that has to be done, but never quite seems to deliver tangible benefits.

This certainly was the case in many (dare I say, most) organizations a few years ago, but there are some glimmers of light out there. We are striving to influence our employees as they work – as they make decisions, follow habits and navigate through unexpected situations.

The pace of most of our work lives has accelerated incredibly in recent years. Remote working, matrix management and collaboration tools mean that most of us are bombarded with inputs and requests seemingly from all directions. And this is the environment that we drop that 10-question, multiple-choice, “security awareness training session” in to. We shouldn’t be surprised by the outcome. (I’m keenly awaiting to see an article in the business media about the impact of the changing work environment on security risk.)

So, how can we make things better? Leading thinkers have reconciled themselves to realizing they are dealing with human beings, and the subject matter isn’t binary. I would submit that we focus on two aspects of the “Training, Education and Awareness” triad (security loves a triad, doesn’t it?). If you are trying to change behavior, I think you can only start with Education.

Education is traditionally the weakest area of security programs, yet it is the key to unlocking understanding in the humans we are trying to help.

So what does good education look like? Anyone who has worked with me in the last 20 years will have heard me talk about Why, What and How – and the importance of getting them in the right order.

Why

Let’s unpack the story around Why. For me, this needs to have immediate and relatable context. What does it mean for the organization, and what does it mean for me? Two examples come to mind:

• An organization-level example: One of the greatest risks to our 3-year strategy would be the loss of confidence in customers and prospects caused by a poorly managed cyber incident.
• A role-specific example: The call center staff are expected to engage with our customers multiple times a day and have access to sensitive information. The risk of exposing information to the wrong customer or an attacker requires constant vigilance. Let us remember that the information we hold is actively sought after by cybercriminals.

What

Now on to the What. Again, I would say this should be substantiated and contextual. As an example:

• Attackers don’t hack into systems, they log in. This statement highlights the critical importance of credentials – your username and passwords. If an attacker gets hold of these, it saves them time and gets them close to their goal. It is then no surprise that 90% of cyberattacks start with phishing, the most common way to gather credentials. Poor credential hygiene – using weak passwords, reusing passwords on different systems at home and at work – just makes the attackers’ job easier.

At this point, I hope you can see the attempt to give the employees some information and context which will slowly be absorbed into their thinking, establishing why the next step is needed, and making it more likely to be adopted.

Clearly, there are a whole slew of topics to be cover here, but for me, the Education stage should focus on the Why and What.

How

I feel that the next step is Training, as this is where How lives. Some principles remain the same – make it relevant and contextual – but we are moving in to specific Dos and Don’ts.
For example:

• If it doesn’t look right or isn’t expected, report it. We will be targeted, and you can help spot and stop an attack.
• Always use the password manager to create and remember strong passwords for you. It will make it the right strength and it’s one less thing to worry about.
• Expect to use the multi-factor authentication (MFA) app for our systems – it is a critical defense. A request to approve MFA should only come as you are logging in to our systems. Never share the confirmation code.

The way this level of information is delivered can vary (I think we can agree worst case is probably a static PowerPoint slide). But it should assume different levels of experience – so the statements really should be supported by easy-to-follow how-to guides for those who need them.

So, my first blog on cybersecurity awareness isn’t talking about awareness, but hopefully you can see why. Let’s get Education and Training established and we can help the humans moving from “attendance to understanding” and create a much more fertile environment for better decision making and safer habit forming.

In future posts, I will return to awareness as a continuous “nudge” and feed in to the behavioral side of employees in a subsequent blog.