Why Businesses Need a Fresh Approach to Cybersecurity Training

Danny Lopez, CEO of Glasswall, discusses the right culture, how to report security incidents without fear, and more.

In millions of businesses worldwide, user awareness training has become a de facto requirement in the fight against cybercrime. It’s easy to see why; people are often the weak link in the security chain and leaders rightly believe that employee-led good practice can play an important role in preventing security breaches.

Training is also something of a legacy process, having been used long before today’s sophisticated security technologies were around to improve protection. And compared to many of those technologies, it remains a comparatively cheap and straightforward way to take preventative action.

Given the volume and obvious success of current cybercrime tactics, focusing on the human factors behind failures in security remains key. One study from Stanford University Professor Jeff Hancock and security firm Tessian, for example, revealed that nearly 90% of breaches occur as a result of human error. It’s no surprise, therefore, that many millions of people will be familiar with training sessions reminding them about the importance of cyber hygiene and online safety.

A False Sense of Security

And therein lies a serious problem. Despite the widespread reliance on end user training, people remain vulnerable to making mistakes – for very understandable reasons – that can lead to serious security breaches.

Whether it’s opening an attachment that looks completely legitimate or clicking a web link that appears trustworthy, the impact of a ransomware attack or when hackers gain access to a network can be devastating. But, organisations that expect their employees to remember and apply every aspect of their cybersecurity training are operating under a false sense of security.

These issues can also translate to organisational culture, where the cybersecurity rules communicated during end user awareness training are rigidly enforced. In this context, employees are seen as the first and primary line of defence against cyberattacks, an approach that can do more harm than good if people are afraid of the repercussions if they make a mistake that results in a breach. In fact, there are situations where a strong enforcement culture means people prefer to stay silent rather than reporting potential security incidents.

An interesting example is the risks posed by file-based threats, which are commonly used by cybercriminals to distribute a huge range of malware, ransomware or other malicious attacks. Cybersecurity awareness training will almost always advise people to take care in opening attachments or clicking on links either from unexpected sources or if there is any reason to be suspicious. Yet, people forget this advice, or the email and attachments are so convincing they think it’s fine to proceed.

Taking the Pressure Off

But, there is another way that relies on building a proactive culture where employees are actively encouraged to report security incidents without fear. There’s no doubt that organisations where people feel empowered to share concerns or admit potential mistakes are likely to be more secure than those who enforce rules. The primary benefit is that security and IT teams can investigate and act on potential incidents much more quickly when the alarm is raised. The alternative is that breaches go undetected for days, weeks or even longer, during which time huge damage could have been done.

This approach still focuses on the important role cybersecurity training plays, but sees it as part of a wider strategy where proactive technology solutions take the pressure off employees to police their own network perimeter. It’s important to note that this is not the same as the widespread reliance on reactive cybersecurity, such as antivirus and sandboxing solutions, which can leave networks with gaps in protection.

Take zero day vulnerabilities, for example, where new exploits or malware operate unknown to these reactive technologies for days or even weeks before they are updated to provide protection. During that time, organisations are vulnerable to attack and even the most well trained employees can’t be expected to eliminate every risk. Instead, employees should be supported by technologies that proactively identify and mitigate vulnerabilities in files and documents so they can work securely and without any impact on productivity.

Given the dynamic nature of cybersecurity risks, it’s important that employees are asked to form part of the solution so they feel comfortable taking responsibility for cybersecurity knowing that they aren’t in the firing line. In these organisations, proactive technologies are denying cybercriminals the opportunity to use files and documents as one of their main lines of attack. In doing so, training can refocus on building a security culture where people truly become part of the solution.

By Danny Lopez, CEO of Glasswall.

Guest Contributor
Guest Contributor
Follow on Twitter @eWeekUK

Popular Articles