Cybersecurity Training Today is Ineffective

Many businesses are looking at cybersecurity practices amid the rise in cyber-attacks. They should also be looking at their cybersecurity training programs and making changes.

Businesses around the world are paying more attention to cybersecurity. They are learning that the practices and procedures they have been following are not working and that something needs to change. There are several areas of opportunity for every business out there, but one thing that every business can agree on is that cybersecurity training is ineffective, at best, in its current form.

Let’s look at some numbers. According to CSO’s 2020 Security Priorities, 36% of security incidents stem from non-malicious user-error, and 27% of respondents said security training was inadequate for users. However, 29% of survey respondents said that security training interferes with more strategic tasks. These numbers are a good indication that many businesses do not prioritize cybersecurity training and do not see it as part of their defense system. 

The reality these businesses are now faced with, is that their customer-facing employees are their first line of defense. Yes, there are many automated systems and security protocols happening underneath the business at all times. But those systems are not perfect, remember, they were created by imperfect humans. Which is why human eyes must also be on the lookout for potential threats. Your security team certainly cannot hover over the shoulders of your employees to ensure they aren’t violating any policies (knowingly or not), or that they aren’t clicking links inside of emails. It’s really not an economical solution.

“The main reason that cybersecurity training and awareness programs are not effective enough is that these events are one-off and irregular. Information security practices turn out to be disconnected from the real work duties of an employee and are not integrated into the workflow,” says Ekaterina Kilyusheva, head of the Information Security Analytics Research Group at Positive Technologies.

What businesses should be doing is training all employees on cybersecurity, and more than once a year. When the Federal Computer Security Act of 1987 was adopted, it established the annual training practice we still use today. Many businesses only do it for compliance purposes and do not focus on anything other than checking a box. But in 2021, technology is an entirely different realm than it was in 1987. Annual security training is not good enough. Threat actors continually change their tactics and find new ways to breach systems. It’s why we so often say that businesses must stay on top of known vulnerabilities and constantly make improvements to their cybersecurity defenses.

There is a huge disconnect here. The perceived value of the need for training is disproportionate across the board, and it’s time for businesses to understand that cybersecurity is fast becoming the only barrier between them and the bad guys. And when the bad guys get through, which they eventually will, whomever is targeted must know how to defend against them. Whether it’s recognizing a phishing scheme, violating an internal security policy (even unknowingly), having credentials stolen because guidelines aren’t followed or something else, your customer-facing employees must know how to respond.

This isn’t just incident response, however. Incident response is a reactive process. Cybersecurity awareness training is preventative. Secure lines of code, firewalls and geofences, data storage methods and IAM controls are also preventative. But when combined together, what your security team does and what your other departmental staff provide through training becomes a pretty big deterrent for threat actors. Especially those looking for a quick in-and-out type of scheme, where they don’t want to jump through hoops. They want an easy way into your systems. Don’t give them one.

The bottom line is that cybersecurity training is imperative for all employees. It really needs to be done at least on a quarterly basis so that employees can stay abreast of the known active threats. Without this training, how can employees know they are potentially putting your business at risk?

If your current training methods aren’t working, or you want to revamp your training program but don’t know where to start, consult an expert. There are people who specialize in creating programs that are industry and job-specific. Using real-world case studies to train employees is vital to the success of your training program. Make it fun, make it mandatory for all employees regardless of seniority level, and make it relevant.

About the Author

Pieter VanIperen, Managing Partner of PWV Consultants, leads a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. He is a 20-year software engineering veteran, who founded or co-founder several companies. He acts as a trusted advisor and mentor to numerous early stage startups, and has held the titles of software and software security executive, consultant and professor. His expert consulting and advisory work spans several industries in finance, media, medical tech, and defense contracting. Has also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY