Is it really any wonder that cyber security education has really taken off? After all, the majority of Americans fall for phishing scams, so say the headlines (and the statistics are staggering). With companies spending millions correcting cyber security errors, a few thousand on end-user training seems like a smart formula.But does cyber security awareness education actually work? Yes and no. We’ll take a look.
Security for All
When it comes to protection against attack, the heat is on. After a series of global computer viruses (from WannaCry to NotPetya) swept through industries, the pressure cooker has turned up and people are looking for someone to take responsibility. Most incidents still start with a phishing scheme, from the attack on the Democratic National Conference to an infiltration on a Pentagon official.
While most individuals will not be held liable for personal phishing attacks that lead to fraud, certain professions are looking like they’ll be expected to maintain security. For example, lawsuits over hacked (and false) emails of lawyers. That means that your workplace interactions can make you, or your organization, liable for cyber threats. Familiarity with cyber threat intelligence, especially in fields dealing with sensitive information, and especially those not working for the IT department, could go a long way toward strengthening the security for all.
When Education Fails
The other problem with education is that it isn’t always effective. From company-wide “sensitivity training,” to seminars on using Excel spreadsheets, the problems with educating employees reveal all kinds of difficulties with schooling. Some people can sit in an auditorium and learn from a PowerPoint presentation, and others won’t remember a word of it.
That means that you need to have other protective mechanisms in place, beyond such mandatory training. Set up systems which will:
- Segment the network, to minimize infections when they do occur.
- Isolate critical data, so that it won’t be subject to hacking tactics.
- Create a safe space, where attachments can be opened for inspection, without downloading to your network.
It doesn’t do much good to lament that end-users “can’t spot a fake email.” Fakes are getting better and more effective. Adding security saves you from the effects of being bamboozled.
Despite these safety tactics, training can be very effective in reducing the success of cyber attacks. It requires a fun, more individualized approach. Consider using these techniques:
- Keep it fun – Games such as “spot the fake,” where real and false emails or websites get displayed can make training interactive.
- Keep it real – Using real-life examples helps convey the importance of your message.
- Hack yourself – Hack your own company and test your security. Share what happened.
- Play it on repeat – Regular security briefings will do more to reinforce topics covered, than sporadic or annual training.
- Put it in writing – Have written cyber security policy and procedures that protects against common error, such as enforced unique and updated email passwords.
- Be loyal – Stand by your employees, instead of targeting them, when breaches happen.
Real familiarity with current threat intelligence makes employee cyber security education much more effective. It’s about actionable intelligence, not fear tactics. Fear of liability, fear of causing organizational harm, and fear of some nebulous concept of hackers, will only go so far toward prevention.
Get real with threat intelligence feeds which provide industry-relevant insight into the real-time threats against gearing up to strike your business. We can help you develop policy and effective education while combatting real threats with effective tools. These factors combined provide the most complete protection against cyber attack.