Security Think Tank: New trends and drivers in cyber security training

Phishing and other threats

Phishing remains one of the biggest threats that everyone faces. Fraudsters and cyber criminals have different and variable tactics for phishing campaigns. These bad actors have and will continue to adapt to increasingly prepared workforces. Gaining access to user accounts is almost always a motive. Spear-phishing is the more highly targeted variant, wherein executives and administrators are the intended victims. Email used to the be primary vector for phishing. It still is a highly used channel, but cybercriminals now also use SMS text messages, other messaging apps, social media messaging, and phone calls (sometimes called vishing, for voice phishing). Enterprise cyber security training programs have traditionally focused on the email vector, but they also need to take into account the variety of attack channels to show users what kinds of phishing content may appear in all these different communications platforms.

But phishing is not the only subject for cyber security training. Other subjects that users need periodic reminders about include deterring tailgating into facilities (bypassing physical access controls), password management, how to handle removable media, using only sanctioned cloud services, not sending company data and personal information over unapproved channels such as personal email, not revealing company information on social media, avoiding using public wireless networks, using VPNs, and so forth. 

Most training of this nature is designed to raise user awareness to prevent user errors that lead to cyber security incidents. But employees need to know what to do when something bad happens. What should they do when they receive a phishing email? What should they do when they believe that confidential information has been compromised? What should they do when ransomware detonates on their machines?

Most companies have policies for many such situations, but assessing user responses and providing guidance in the case of cyber security incidents can go a long way to reducing the damage that can be done.

Evolution of training formats and trends

When organisations began conducting cyber security training in the 2000s, it was generally an annual exercise. Those training classes for the general user population may have been offered at employee onboarding only or annually for all employees for an hour or two.

Today we see companies and cyber security training service providers offering much more frequent sessions, sometimes even on a monthly basis. However, the more frequent training programs are shorter in duration. In fact, some sessions may only be three to five minute refresher videos and quizzes.

Shorter and more frequent training sessions offer multiple advantages, such as less time out of the workday at once, increased user participation, and greater user satisfaction. Perhaps most importantly, the training material can be updated faster to reflect the constantly changing threat landscape.

Videos are the preferred format, but user interaction is key. Training sessions start with reminders and updates about the threat landscape. Real-world examples have the most impact. Leverage cyber security news stories that have been publicised. Testing users’ knowledge at the end of each session can be enlightening for organisations to gauge the susceptibility of the workforce to prevailing attacker techniques and better quantify those risks. This can serve as a feedback loop for additional training, augmentation of training and other security controls. Testing can also be fun for the users if done right, with rewards and positive reinforcement for participation and correct answers.

Current training regimes also feature self-paced learning. Users receive invitations to take training when it fits their own schedules. This avoids conflicts with other work. Of course, deadlines and reminders to need to be put in place to ensure that training takes place. On the other hand, there is value to having short training sessions that interrupt non-critical work. This is to address situations when users are indeed busy and are more likely to make mistakes in judgment that adversely affect organizational security posture.

There are a number of cyber security training services to choose from that offer these kinds of training in multiple formats and styles. With account takeover and ransomware attacks proliferating, now is the time to emphasise cyber security best practices amongst your user populations.

Recommendations

• Increase the frequency of cyber security training sessions for your employees, while decreasing the duration of each session.
• Ensure that new training content is based on up-to-date threat information.
• Look for cyber security training services that provide customizable content that meet the needs of your organisation.
• Promote an open culture that encourages users to report suspicious behaviour and rewards cyber security vigilance.