In the summer of 2021, analyst Gartner published its Market guide for security awareness computer-based training. It reported that the human element (85%) continues to be a primary catalyst for data breaches, with phishing accounting for 36% of breaches.
One recent attack that made the headlines occurred at Intuit Mailchimp, the marketing automation platform provider, in January 2023.
Discussing the challenges in training and protecting users, the company’s chief technology officer (CTO), Eric Muntz, says: “It is really tough protecting people against social engineering attacks. I would encourage other leaders to, first and foremost, talk about it and make it part of onboarding and training.”
Mailchimp runs demonstrations during “coffee hour”, where speakers are invited in to demonstrate styles of attack. “It’s about education,” says Muntz.
The growth of post-pandemic remote working practices has exacerbated the risks of organisations being compromised by social engineering attacks.
Despite bringing a multitude of benefits, including improved motivation and greater flexibility, nearly a fifth of IT professionals say workers aren’t secure when working remotely. People tend to work in isolation, and while they may use collaboration tools for communicating with colleagues, email is also still used for internal communications. Data from Statista shows the number of email messages is set to rise to 376 billion globally by 2025.
The training element in a cyber security strategy
It’s important, therefore, to understand the current security risks facing remote workers, and how organisations can educate staff to reduce them.
IT security expert Jamal Bihya, who is the author of GigaOm’s latest Security awareness and training report, believes business leaders need to assess how much security is required in their “human firewall”.
“The idea is that security warrants training, which targets the general employee,” he says.
“The motto is to make the easy way the secure way and use security by design to embed security principles into existing workflows” William Candrick, Gartner
While it is highly unlikely organisations can provide sufficient training to remove 100% of those attack vectors that target users, Bihya believes organisations need to aim to make IT security awareness among their staff a “reflex action”.
But according to William Candrick, director analyst at Gartner, the challenge with traditional training is that it attempts to address perennial issues, such as email phishing and social engineering attacks.
Research from Gartner shows that while 82% of data breaches involve human error, 69% of employees bypass cyber security guidance. Moreover, 93% of them know their actions create cyber risk.
Candrick argues that their actions are not malicious, with 29% citing speed and convenience as the reason for working around the cyber security measures their organisations have in place. Gartner’s research shows that 18% of these people believe business objectives outweigh the impact to cyber security.
“The motto is to make the easy way the secure way and use security by design to embed security principles into existing workflows,” says Candrick.
Gartner’s research is reflected in a survey from HornetSecurity, which found that 74% of remote staff have access to critical data when working remotely. On top of this, work is no longer limited to one device, with cloud systems allowing employees to log into work accounts on personal computers, tablets and smartphones. According to HornetSecurity, 15% of employees use their own devices to carry out work-related tasks.
Daniel Hofmann, CEO of HornetSecurity, warns that this blurring of work and personal life makes it easy for confidential documents to be saved and shared on unprotected networks. As an example, he says: “Last year, Suella Braverman resigned from her position as home secretary after admitting to sending an official document to a fellow MP from her personal email address.”
Hofmann points out that private chat services like WhatsApp are often used for business communications, with confidential documents frequently being shared via such applications.
In Hofmann’s experience, file sharing has quickly become a common source of cyber security incidents. “It is posing a unique risk to organisations as they commonly don’t have any control over the security of personal or external networks,” he says.
Education holds a significant role in the creation of a robust and resilient cyber security ecosystem. Hofmann believes that by implementing a more comprehensive and inclusive level of cyber security training, remote employees will be more aware of the current threat landscape and how their actions may put the organisation at risk of a breach.
“Tackling the cyber security knowledge gap among employees is essential to the creation of a robust security system,” he says. “However, increased education isn’t enough. Better awareness needs to be backed up with a security solution that includes robust email security functionality for prevention, as well backup capabilities for recovery.”
Another report, Forrester Wave: Security awareness and training solutions, Q1 2022, also reported a change in training providers’ approach to IT security training and awareness. With employees operating remotely or physically, security awareness is now borderless. The analyst firm recommended that IT security leaders instil a “security everywhere” culture across their organisation.
The Forrester report found that many IT security training providers have risen to the challenge, creating what its authors describe as “solutions that no longer function solely to train people for the sake of it”. According to the report, behaviour and culture change became a reality in the IT security training market. This, it noted, is a far cry from 2020’s market, which was full of legacy providers that were out of date and out of touch with users.
While preparing the report, Forrester found the conversations its analysts had with training providers were “full of vendors paying lip service to awareness, behaviour and culture change”. The analysts reported that many had a limited vision of how to change behaviour or instil a culture, and quickly reverted to describing their content and quizzes as ways to measure employee engagement and behaviour.
To achieve an improvement in awareness, behaviour and culture change, Forrester urges chief information security officers (CISOs) to make reducing human risk their goal. “Look for vendors that offer human risk quantification and calculate risk based on actual user behaviour, not quiz and simulation scores,” the report noted.
Forrester warned that traditional metrics like training completion rates, quiz performance and engagement metrics are fundamentally flawed: “At best, these input metrics only tell you how to improve training, ignoring how you can improve behaviour, instil culture, or bolster your cyber security posture.”
Choose suppliers that can help measure your employees’ human risk score. Once you know the risk profile of an individual or department, you can adjust your training and gain valuable insights about where to improve your security programme.
Building out security awareness
When looking at how best to improve cyber security training and education, the authors of Gartner’s Market guide for security awareness computer-based training urged CISOs to avoid limiting security awareness to phishing simulation and computer-based training. The report found that the leading training platforms augment the execution of a multichannel, context-specific and employee-centric approach to educate employees and change behaviours.
According to Gartner, the success of security awareness programmes depends on having clearly defined objectives, sustained executive sponsorship and collective organisation-wide involvement. Gartner’s research found that IT security training providers are increasingly using scoring methodologies with the intent of helping organisations quantify the human risk element and deliver more personalised security awareness programme content.
There is also growing interest in managed service providers of security awareness training, which assist organisations in orchestrating many elements of training in the absence of employees dedicated to security awareness programmes.
Finally, looking at some of the new technologies appearing in cyber security training platforms, Gartner’s Candrick says behavioural science is an emerging area of training. This starts the training from a psychology and academic perspective rather than starting with security. It uses techniques like “nudge theory” and behavioural economics to improve employees’ cyber security awareness.
Candrick says automation can be combined with monitoring tools to train users dynamically when they try to do something that breaches the corporate security policy. What is clear from the research, and the experts Computer Weekly spoke to, is there is a gap in existing cyber security training that ignores the changes in working practices that have occurred over the past few years.
Nudge theory may seem novel, and the style of cyber security integration Gartner’s Candrick describes could be deemed too intrusive. Nevertheless, these may offer CISOs a way forward in cyber security training to equip employees with the best set of security skills for hybrid work patterns.