The old saying “employees are your weakest link in cybersecurity” is still frequently heard today. Employees represent a large attack surface, and a moment of their inattention can be sufficient for an attacker to be successful.
Technical measures that detect attacks and limit their impact are available and often implemented. Attackers have a wide range of techniques available and only need to find one vulnerability. Because technical measures come with a trade-off between usability (for employees to be able to do their job efficiently) and security, these measures have their limitations. At that point, the “human firewall” becomes the most important part of the defense.
To strengthen this layer of defense, many organizations rely on cybersecurity awareness sessions. Often, this ranges from simple emails with do’s and don’ts to web-based learnings, and even classroom awareness sessions.
And yet, most traditional security awareness programs are ineffective…
Every organization that takes cybersecurity seriously has adopted some form of campaign on this topic. And yet, most successful attacks are still based on this “weakest link”, indicating that these campaigns are not fully effective. When taking a closer look, most awareness programs share common flaws.
1. They lack proper success metrics – the focus is on knowledge when it should be on behavior
Success is traditionally measured through “completion of the training” or “a passing mark at the training’s quiz”. Such a metric indicates whether participants obtained new knowledge, measured from a compliance viewpoint; what the metric does not reflect is the culture change you want to achieve as a result. People are often very skilled at recognizing the correct answer at the end of the quiz, but do not apply this knowledge during their working activities.
2. They lack regular content updates – fail to keep up with the tempo of cybercriminals
Frequently updating the topics and their content is a strong requirement within a dynamic threat landscape. Cybercriminals evolve their methods constantly, and awareness programs also should.
3. They lack regular engagement – awareness is delivered as a “one-off” exercise
The battle for people’s attention is fierce. In today’s complex organizations, everyone is expected to have knowledge of different rules and regulations in a wide range of topics. Often, cybersecurity is one of the many topics for which the same activity is undertaken every year, in order to meet the requirement. The focus of such an approach is in having a periodic “one-off” exercise, leaving out more regular engaging campaigns.
4. They lack engaging content – fail to grab people’s attention
All of us have experienced the classic web-based training. Often you start with good intentions reading through the content with a half eye, but end up clicking through the slides as fast as possible to “tick the box”. This type of content is not engaging enough and diminishes the effectiveness of a training.
5. They lack alignment to business risk – use generic campaigns
Many off-the-shelf awareness solutions exist, and organizations can rapidly launch a campaign with limited effort. Every organization is different, both in the threats they face and the solutions they implement to mitigate the risk. Generic campaigns that are not aligned with the actual business risk often miss the point, as the audience does not recognize themselves or the organization.