Maksim Kabakou - Fotolia

Security Think Tank: Poor training is worse than no training at all

Bad security training is a betrayal of users, a security risk, and ultimately a waste of money, but there are some reasons to be optimistic about the future, say Mike Gillespie and Ellie Hurst of Advent IM

Ellie Hurst, Advent IM
Mike Gillespie

Published: 08 Feb 2023

A change is underway in security training of all kinds. Security managers are being asked to step up and make a real difference in training; shape and support learning in more business-collaborative ways than ever before – stepping out from behind the locked door.

There has long been a mindset of security training consisting of 20 minutes of e-learning a year being just enough, or a signed policy which ignored any genuine understanding (or lack of) on the behalf of the user to ensure the ticking of a box to satisfy an audit.

But we all know that this is not the way to engage users or to ensure they behave securely. It is the way to alienate and create an atmosphere of mistrust that actually does more harm than good.

Ok, we may be describing the worst-case scenario, however, we actually do think that poor training is worse than no training at all.

This is because poor training creates the illusion that the management have done all they need to do about security training and it's no longer an issue or risk, whilst still leaving the workforce wholly unprepared to be part of the organisation’s security defences. It creates a false sense of complacency, and one that can be crippling in the long run.

A glimpse at the level of successful phishing campaigns that deliver the majority of toxic payloads onto businesses should put paid to any such thinking on the readers behalf. Poor training is a betrayal of users, a security risk and a waste of money.

There are glimmers of optimism however. Organisations are finally starting to evolve their thinking about training, and we are now moving toward training that is tailored for roles and departments, uses language and scenarios that resonate with users and is regularly updated. A good start, but still not the end of the training journey.

Within six months of training, most people have forgotten the majority of what they learnt if they don’t apply it regularly, so making training sticky in a variety of formats is the new black and our training strategy must include having content as re-educated into organisations. This will make it easier for the user to do the right thing when they are faced with a challenge.

Having visible leadership buy-in is also proving to be a great improvement in how effective training is in changing behaviours. Because that, after all, is what we are trying to affect with our programmes.

Another change is the way we issue technology and how we support it through training. This isn't an overt security matter but it has a big impact on security and effective risk management.

Drive safely

Businesses need to evaluate the level of technology they issue to users and make sure they have trained and educated those users how to use that technology to its maximum.

Imagine buying your employees supercars but never showing them the best and safest way to drive them at high speed. It’s a waste of money and could also mean they use it riskily because they have not had enough guidance or experience.

For a long time, businesses got round it by effectively saying to users, you can only drive your supercar in a highly controlled track environment and then only up to third gear and expecting that to solve the problem.

Training users in how to use more complex technologies from the start is a much better idea, but if you don’t want to do that then, sorry, but it will be Robin Reliants with speed limiters all round. Perhaps a more cost effective and appropriate deployment!