As infrastructure and device-level cybersecurity in the enterprise has become more effective, it has become widely known that the most prominent open threat surface organizations face is their employees. Employees are targeted directly by bad actors on both their organization-owned and personally-owned accounts and devices.
These employee-targeted threats have led in the last year to significant data breaches such as Cisco, Uber, and Microsoft, as well as countless others, as employees make mistakes and fall prey to everything from gift card scams to corporate malware.
Working in personalized managed cybersecurity, we talk to dozens of CISOs every week about how they’re addressing these threats, and one of the common themes we hear is ‘Cybersecurity Training.’ Some of these training programs are voluntarily adopted by company leadership and mandated by frameworks such as SOC2, ISO27001, etc.
Cybersecurity training for employees isn’t working.
At most organizations, training looks like a mix of webinars to explain best practices (“use two factor,” “double-check phishing emails,” “use strong passwords,” and so on) and simulated phishing emails.
The reality is that cybersecurity training needs to be fixed. Almost 90% of successful cyberattacks are via employees, and that number isn’t shrinking.
There are three problems with the current regime of cybersecurity training:
First: cybersecurity training stays at work; it never builds good habits. If you’re asked to do something at work and follow a policy, you aren’t changing your way of thinking or your natural behavior patterns. Employees get distracted and fall back on their old routines – or get compromised at home, where they aren’t following the dictates of their training program because they think it’s just busy work.
Second: training addresses a threat model that needs to be updated. It speaks to bad actors targeting corporate infrastructure and devices directly. The scenarios and responses covered speak to the threats our teams faced five years ago, before the rapid rise of employee-targeted digital risks, which come at employees when they’re “off the clock.”
Finally: the reality is that even the best of intentions can’t cover every scenario. It’s a problem if employers think that training alone can mitigate employee-targeted digital risk!
We only need some of the cybersecurity software we run on corporate systems. The failure here is in putting employees in a position where they receive cyber threats but do not have the proper support to protect themselves. Ultimately, it’s impossible, even with excellent training, to avoid every risky situation.
The truth is cybersecurity training in the workplace needs to be fixed. That’s why employee-targeted digital attacks are successful, and that percentage is increasing.
As currently implemented, Cybersecurity training feels like an arbitrary punishment to most employees. Rules are dictated and explained; if you get a question wrong or fail a phishing test, you need to sit through remediation. This conditions employees to pass their phishing tests at work but does nothing to instill proper cybersecurity habits or a desire to maintain them when they get outside the classroom environment.
The only way for practical workplace training is to build a holistic habit of personal cybersecurity and hygiene for your team across their digital lives. Training is one facet of this – the other is personalized managed cybersecurity.