Many organisations are looking to address the cyber risk in the behaviours of their workforce. For some, this reflects an increased awareness of the cyber threat. For others, in the financial sector, for example, who have invested heavily in cyber security, it is because, despite their investment, they remain vulnerable.
The particular challenges they face are the ever-changing threat landscape and a workforce that, in many cases, has not received sufficient training and has to deal with an environment where it is often difficult to work securely while also meeting the requirements of their role.
Most organisations operate through a combination of technology, process and people. In cyber security, the first two actions are relatively straightforward to put in place. The third, the people, is less clear cut and less predictable.
Some people respond to training, some don’t. If an individual is unhappy at work, they might do something that they would not normally do and put security at risk. Good security training and a security culture should reduce the likelihood of this happening.
A further challenge lies in the difficulty of measuring the success of staff security training. But this is changing. Behavioural science now provides a better understanding of how to influence behaviour and identify relevant behaviours. An increasing ability to measure these behaviours means significant advances are being made both in the delivery of security training and in the measurement of the impact of that training.
It is clear that the most effective security training starts with a clear focus on what the organisation wants to achieve. Is it simply trying to comply with regulation to meet the requirements of a certification? Or is it trying to improve the security behaviours of the workforce to reduce risk and to protect the organisation, its interests, its employees and its customers?
The first should lead to the second and means training should use the most up-to-date approach, make it relevant for the business and show staff very clearly how security threats can impact their day-to-day operations.
What are the options for training and what are their strengths and weaknesses?
The first approach is mandatory training delivered as part of a regular (usually annual) course and assessment. Many organisations have done this for a number of years because it meets the current requirements of regulation and some certification. Sadly, it is ineffective in driving behavioural change. At best, staff recall what they learn in the training for a short while after they have received it. They then forget it and, without an easy reminder of what they should do, they may not take the right action when confronted with a security threat.
One way to address this is to have an easily accessible resource where staff can look up what to do in a particular situation. This could include policies, guidance and bite-size snippets of training that are referenced in the core training module that make it easy for staff to do the right thing.
A second approach to training is to provide it in bite-sized chunks throughout the year. This is most easily delivered through an outsourced platform. Behavioural science suggests this is one of the best ways to ensure the workforce adopts good security behaviour.
In some cases, the training platforms also provide “nudges” in the form of pop-up hints built into the IT to prompt the correct behaviour. Some will enable easy access to policy documents and may also include material to engage staff, such as advice on how parents can help their children stay safe online. There are usually options for built-in behaviour measurement, which means progress can be tracked and areas that need attention identified.
Organisations also need to decide whether to provide insourced or outsourced training. One potential solution is to source joint training as a part of the cyber security delivery partner role that many have with their security operations centre (SOC) providers. This enables the SOC provider to bring up-to-date knowledge and training to the organisation.
There are also numerous specialist providers of security training that have built their platforms on behavioural science and research. Ideally, organisations should complement outsourced provision with insourced training of leadership, management and security champions to help strengthen their security culture.
This training should be designed to support the business objectives and crown jewels of the organisation. So, they should use the specification and delivery of training to help them create the cyber culture and skills they need across their organisation. If working with an external provider, they should make sure their aims are aligned and they benefit from the investment the provider makes to stay up to date.
Whatever approach businesses take to training, they need to recognise that it has to focus on real behavioural change, not just ticking a box once a year.
Tom Everard is a cyber security expert at PA Consulting.