In many organisations, training is seen as a comparatively inexpensive way to address cybersecurity weaknesses. On the face of it, it’s a logical investment – compared to technology procurement, for example, it can be a relatively quick and simple process and in many cases, certainly cheaper.
It also focuses on a very real need. One recent study revealed that human error is the leading cause of data breaches, with 88% coming as a result of employee mistakes. As a result, end user awareness training focuses on a wide range of potential pitfalls, from guarding against email scams, malware and poor data management practices to password security, to the dangers associated with Bring Your Own Device (BYOD) technology and more latterly, the risks associated with remote working.
It plays a vital role in any rounded approach to cybersecurity by arming as many users as possible to be alert to risks and follow best practices. The problem is, much of these training efforts are little more than an exercise in box ticking, covering the basics with employers then assuming their staff will remember what they need to do on every single occasion in the future when they are exposed to risk.
This simply fails to acknowledge the increasing sophistication and opportunism of cybercriminals, where email-based attacks, for instance, are becoming more convincing all the time. It begs the question as to why organisations choose to put their employees in the front line of their security strategy? And even more importantly, why do they think that putting people back in the classroom for a day is fit for purpose? For busy people under pressure to perform, momentary lapses in concentration are inevitable and no amount of training will close off every avenue of attack.
In some circumstances, there’s also the possibility that an ‘enforcement’ style of cybersecurity training could do more harm than good. In hammering home the message to people that they must not be the weak link in the security chain, organisations can quite easily establish a culture of fear and punishment for people who make cybersecurity mistakes.
While leaders may think they need to be crystal clear in what is expected of everyone on their team, it’s an approach that is both counterproductive and ineffective. Not only does it fail to acknowledge that everyone makes errors, it shifts employee focus away from their core responsibilities and instills a feeling among people that it’s perhaps safer to say nothing than to share details of a potential breach.
Instead, employers should be celebrating those who highlight secure failings – even their own. People should understand that protecting their organisation from the impact of a security breach isn’t just about always applying every element of their training on every single occasion, it’s also about raising the alarm if a breach may have occurred without fear of punishment. Whether they are right or wrong, employees should be encouraged to always raise the alarm if something doesn’t feel right.
By employing proactive cybersecurity technologies such as Content Disarm and Reconstruction (CDR), organisations not only take the pressure off employees to continually police file-based threats, but they can massively increase their ability to deliver instant protection. It’s a simple approach that ensures every document entering or leaving the organisation is safe, without sacrificing productivity. What’s more, it can enable organisations to boost the value and impact of training for users who are much more effectively protected from the risks of clicking on file attachments.
Creating a successful cybersecurity culture requires that training and technology must combine if organisations are to create an effective defence. In the face of growing risks and more sophisticated attacks, it’s a change of approach that can deliver transformational benefits.