James McQuiggan, Security Awareness Advocate at KnowBe4 believes we need to embrace the new school approach to security education and start to make the most of the human factor.
Listen to the full podcast here, or read on for James McQuiggan’s top three takeaways.
The new school approach to security education is designed with the end-user in mind
I got into security awareness over 11 years ago. Back then, cybersecurity training consisted of a lunch and learn with a PowerPoint presentation, and perhaps some donuts to entice people. You may also have had computer-based training where you go through and click ‘next’ repeatedly until you reach a 5-question multiple-choice quiz. That was it. You might remember the information, you might not. Most of the time, if you weren’t interested, you wouldn’t.
The new school approach to security education is based on totally different concepts and includes a variety of different factors. It is not just computer-based training once a year. At its core, the new school version must be engaging and interesting, and needs to appeal to the end-user. The end-user should feel a connection to it so that they are compelled to take an interest in security, to make them think twice about clicking a phishing link, or reusing a password. So, helping employees connect with security will drive an overall security culture change. If users don’t relate to it, they’re not going to care.
Security education should be creative and reflect the culture of the organization
Consider some of the training sessions you must do – accounting, finance, or expenses. It is very difficult to learn if you are only doing it because your boss told you to, and you don’t really care about the subject.
A security awareness program should be more engaging. Whether it is posters, newsletters, animations, or a weekly video. Organizations should be doing different things every month or every week to help reinforce the information throughout the year. Ideally, you want employees to enjoy engaging with the security program, and to do this we need to lead with the carrot and not the stick.
For example, a friend of mine is a CISO at a law firm and he runs a monthly contest. Whoever spots the most phishing emails gets their name on the notice board and a $25 gift card for coffee. What has become clear is that the employees could not care less about the gift card! They want to see their name on that list – and they want to see it at the top – it’s a competition for them.
So, you want to find what works within your culture to get people interested and take it seriously. Whether it is a board, recognition, a coffee mug, a shirt, understanding the culture of your organization and reflecting that in your security program goes a very long way.
Humans can be cybersecurity’s strongest asset – they’re just not getting the right training.
Well over 50% of data breaches are the result of some kind of human interaction – whether someone misconfigured a firewall or a user clicked on a phishing email. This means that humans must be the weakest link when it comes to cybersecurity – right?
It’s not that simple. A recent report from an identity resource group analyzed a variety of different organizations and their budgets. The report revealed that about 3% of the average organization’s cybersecurity budget goes towards training – towards the human aspect. That’s just 3% on training your developers, training your security team, and security awareness training for employees.
So only $30k of a 1 million dollar budget would go towards training, and when you’ve got so many data breaches being because of human action, that’s not a lot of money. People love to say that humans are the weakest link, but I think that humans can be the strongest link, and companies just aren’t training them.
For more from James on security education, the rise of ransomware, and the human factor, listen to our RE: Human Layer Security Podcast episode, here
