When was the last time you did compliance or induction training that you found really engaging?
For me, it was learning to extinguish a fuel fire in a half forty-four gallon drum at a mine in Papua New Guinea.
Far away from cloistering Australian OH&S laws, someone had decided that if we were to ever successfully fight a fire it might be useful to have put one out. It was fun, but the heat of the blaze let you know that there was real danger. You felt it, you smelled it, and as they gave you the extinguisher and sent you towards the fire (and to be clear no one was made to do it) there was no doubt that you were paying attention – your own skin was on the line.
And I’ll never forget the way the fire flashed back, after being knocked out by the CO2 extinguisher. I learned three important things that day:
- Fires knocked out by a CO2 extinguisher flash back once the CO2 dissipates (the Boss was wrong – you can start fire without a spark).
- Running at a serious fire with an extinguisher would be a dumb thing to do – seriously small fires only.
- You learn best when your own welfare is at stake.
Cyber Security Awareness Training
Cyber security Awareness Training probably can’t benefit much from adapting points 1 and 2. However, point 3, you learn best when your own welfare is at stake, has broad applicability.
Sadly, like other compliance and safety training, there’s been a bit of a “yawn factor” with Cyber Security Awareness Training, particularly when it was all about the office’s IT systems. However, things are different now; any organisation not running a comprehensive cyber security awareness programme is not utilising one of the most effective investments in IT Security.
So what’s changed? Self-interest: In the Information Age, staff depend on cyber security in their private lives as much as they do in their professional lives – perhaps even more so. And the key to building an effective cyber security awareness program is to show staff that they need to protect themselves, and then show them how to protect themselves. Or, as Jack Lang put it “always back self-interest; at least you know it's trying.”
Teaching staff how to secure their own devices, how to safely use the internet and how to spot malicious emails will have greater impact if the consequences of poor security are related back to the individual.
Getting staff engaged takes a mixture of relevant and interesting messages, delivered through the use of traditional and innovative channels (email, web training, SMS, engagement on forums etc), at regular intervals.
If you use these channels to give staff the information to secure their private digital life, they are far more likely to take notice and adopt the practices recommended, and they will bring that same approach and philosophy to their professional digital life.
Some might criticise this approach for not being sufficiently targeted at the security of business systems. But this actually highlights one of the great strengths of cyber security awareness programmes, and cyber security awareness training – the information and skills learned are highly portable.
Malware in Email
To understand what I mean, consider one of the ongoing scourges which is again doing the rounds: Malware in Email.
Across my career I’ve probably seen ten new generations of products designed to deal with malware in email; it’s by no means a new problem. Each security response to malware has initially been quite successful, with effectiveness atrophying over time as attackers develop new techniques, often with minimal effort, to bypass the protection.
For example, a recent adaptation by attackers has been to build sandbox detection into their malware. When first activated, the malware checks if it is running in a sandbox, and if it is, shuts down before executing any of its nefarious code; lying dormant until it passes through the security layer.
With this small change, and a host of other adaptations, attackers continue to find ways to nullify the investment in technical controls. It’s pretty simple – computers follow a program accurately. If that program is a defensive program, and you find a way to slip through, then you will slip through every time until someone changes the program.
Humans are different. Their ability to abstract knowledge, and then apply it in a different context is a key survival trait. Cyber security awareness information sticks and adapts because the brain can abstract knowledge and apply it to different situations – especially when it is initially implanted as an area of self-interested concern. In fact, cyber security awareness training is quite resistant to disruption and normally provides a long lasting return on investment.
Fifteen years ago, in security awareness training, we were saying “be sceptical of what you receive via email”, “don’t open attachments from people you don’t know”, “don’t run macros in office documents unless you have to”, and so on and so forth. That simple advice about dealing with email is still highly applicable today. And unlike the latest technical countermeasure, the small investment you make in cyber security awareness, isn’t nullified every time the attackers figure out a new trick.
Now, this isn’t saying you should turn off all your countermeasures by any means. Rather it is highlighting that the innovation cycle around attacks and resulting countermeasures will inevitably leave gaps in the effectiveness of countermeasures. The security awareness of your staff provides critical protection during these unavoidable gaps.
Likewise, it is also recognising that information systems give staff power and leverage. Suggesting that their awareness of cyber security is not part of the solution is a bit like saying drivers' attitudes have nothing to do with road safety.
There is one final important thing about cyber security awareness: While it has a direct benefit in terms or reducing susceptibility to cyber attacks it is also a grass roots campaign to lead to that most critical outcome – making cyber security part of the culture. Once cyber security is part of the culture the people in your organisation help you secure the business – often in ways that will never even be noticed.
Stop a phishing email from reaching a team member and you protect them for the day. Teach them how to spot a phishing email and they will protect themselves, their friends and co-workers, and the business, for life.
About the Author
Clem Colman is an experienced business leader and IT Security specialist.
He is a Principal Consultant at UXC Saltbush.