To truly increase cyber resilience, cyber security training is going to need to focus on changing human behaviour
Earlier this year, the UK government released its latest report on cyber security breaches amongst UK businesses.
The findings were somewhat disheartening.
According to the report, almost half of all UK businesses suffered some form of cyber security breach in the past 12 months.
Worse still, an even greater 62% of all “info/comms/utilities” businesses were victims of an attack during the same time period.
It seems increasingly stringent regulation is having little effect on breaches – which highlights something interesting.
In its current form, cyber security training isn’t doing its job.
From looking at the training itself, it’s not hard to see why.
Most of today’s cyber security training are tick-box exercises.
Businesses, rightly, want to remain ‘compliant’. In turn, training suppliers often offer training aimed at keeping businesses compliant.
Whilst all seems well on paper, it’s a state of affairs that frequently relegates training to little more than a compliance tool, as opposed to a method of truly increasing cyber resilience. And that’s not just our opinion, either.
94% of businesses unable to calculate ROI
According to the government’s new report, businesses evaluate the effectiveness of their cyber security spend by monitoring compliance over and above any other metric.
The 2nd most trusted metric?
Qualitative feedback from management.
Only 25% use penetration testing. And 94% are unable to calculate cyber security spend ROI.
So the stats certainly suggest compliance – as opposed to resilience – has become the yardstick for success. Could it be the case, then, that tick-box training is in fact giving cyber criminals an easy ride?
Changing employee behaviour
We’re not suggesting compliance isn’t a valiant goal.
What we are suggesting is compliance and resilience are not synonymous.
To increase a business’s cyber resilience, cyber security training must go beyond maintaining compliance in an effort to change employee behaviour and decrease the risk of cyber attack.
Such training does indeed now exist through companies such as CybSafe. As opposed to a standard comprehension exercise, it draws on learnings from the world of behavioural science to ensure participants change their attitudes and behaviour.
It’s training that isn’t left in a classroom. And, when deployed correctly, it can seriously increase a company’s cyber defences.
Making training real
Here’s what we mean.
Tick-box training traditionally asks participants to read up on cyber security techniques before offering a multiple choice Q&A. An employee reads the material, passes a Q&A and gets back to their job – say, in the case of an energy provider -upgrading customers to a new electricity tariff.
Within the space of a few hours, a participant leaves the jargon-filled world of cyber security behind – and quite often, much of the important lessons, tips and support.
With advanced training, that same member of staff might come into work a few weeks later. She might make herself a coffee, boot up her computer and open her inbox.
Waiting for her might be an unexpected email. She doesn’t recognise the sender. Because it’s a simulated spear-phishing attack, designed to test – in practice – cyber resilience.
It’s live training that brings cyber security out of a classroom and into an employee’s working life, with the ultimate aim of changing people’s behaviour.
Learning from human actions
Such training can be evaluated via metrics of immense value, such as frequency of incidents and/or ROI. And it goes even further.
The results of simulated attacks, for example, can be recorded, collated and fed back to information security officers.
Companies can learn which departments are performing well and which aren’t. They can learn which devices pose the biggest threats – and they can do something about it before they become victims of an attack.
Making the exception the rule
By giving businesses false confidence, compliance-based training might well be giving cyber criminals an easy ride. But, given the evolution of a new wave of training, all is not lost.
Training aimed at changing behaviour is becoming increasingly accessible. And frustrated businesses are becoming increasingly open to its benefits.
A final statistic from the government’s latest report really hammers the point home:
74% of all UK businesses now report cyber security as a high priority for senior management. As time goes on, better training will no doubt become the rule, rather than the exception.
And each business that makes the move will safeguard both itself and our wider society from every new cyber threat we face.