Organisational cybersecurity awareness has come a long way from the early days of widespread office computer use. While the issue has traditionally been considered the responsibility of IT departments, organisations have steadily woken up to the idea that individual workers across a company can present significant cybersecurity threats, and so cybersecurity training for all workers has become progressively more common.

But while there is certainly better cybersecurity awareness among non-technical workers than there used to be, it’s hardly a standard occurrence.

“There was a recent report that showed [that] in the UK, over 50% of staff had not received security awareness training,” says Stephen Burke, CEO of Cyber Risk Aware, a provider of cybersecurity training.

However, while almost half of UK companies are offering training, that doesn’t mean they are doing so in a way that will have a meaningful impact on their chances of experiencing an attack.

“Larger organisations are probably more mature in this space, but even then, that doesn't mean that they're doing it right,” says Burke. 

“People have traditionally given 40 minutes of annual compliance training and said they're doing security awareness training. That is just not fit for purpose and is a compliance tick-the-box exercise. 

“And that has been the fallacy to date and why the risk has not been changing, and hence why so many cyber incidents have been occurring, because of people still continuing to be unaware of the risks and thinking that primitive defences will help them, and it’s somebody else's job.”

Box-ticking: When cybersecurity awareness gets treated as a compliance exercise

Many companies, Burke argues, are doing cybersecurity training simply as another piece of red tape with which to comply, demonstrating little regard for the end goal of such training: the reduction of cybersecurity incidents. 

“I think it’s fallen into the compliance team; it's deemed to be like compliance training,” he says. “By being perceived as training, it just falls into 'well, let's give it to annual compliance training and then they can handle it'.”

“By being perceived as training, it just falls into 'well, let's give it to annual compliance training and then they can handle it'.”

Share this article

Then there’s the question of who is doing the training. Even if it is more frequent and focused than an annual 40-minute session, the wrong trainer can have a serious impact on its effectiveness.

“It sometimes fell to some technical people to do it, and technology people are not the educators in the world; they're not the best communicators in the world, which, coupled with bad content, just makes for a recipe for disaster that doesn't really lead to the outcome that one wants,” explains Burke.

A human firewall: taking a different approach to training

Instead of the commonplace compliance-based approach, Burke argues that companies should be using methods that increase the frequency while making sessions shorter, punchier and easier to take in.

“Going forward, I think it has to be small and often content, which is bite-sized chunks of awareness tied to specific topics such as data protection, email security, web security, password security, thus focusing on single topics; focused and practical and relevant to people in their personal lives,” he says.

“And if that is the approach taken, well, that will be far superior in reducing the risk and enabling companies to demonstrate and meet their legal and regulatory requirements in this space, which is obviously an increasing requirement that they are doing security awareness training, but also showing how effective it is.”

Cyber Risk Aware is one of several companies offering this approach, which Burke describes as “creating a human firewall”, which is designed to generate a culture of awareness among employees. 

“The whole key to this is to be helping them in their personal lives as well as in their work life, and producing the content that doesn't get in the way of the business, is eight minutes in duration, [like] our training courses, or videos, which are one minute,” he says. “But also, creating a culture of awareness so that people start talking about it among themselves rather than just leaving it to IT.”

“Going forward, I think it has to be small and often content, which is bite-sized chunks of awareness tied to specific topics.”

As part of this, the company also practices mock attacks, followed by immediate targeted feedback for employees who prove to be weak links, to ensure the same problem does not occur in a real-life incident. In particular, this practice has proved effective for mock phishing attacks, where companies are able to assess their risk level and provide additional training for those that need it.  

“Seeing where that risk lies and giving instant feedback to staff who fall for that, [companies] really like that, they really see that that's very powerful, and it's powerful for the senior executives to know that they're seeing that level of risk and they can demonstrate that back to the shareholders,” he says.

It has also been appreciated by IT security teams, which are able to provide valuable data to back-up their requests for increased resources. 

“Nothing is ever foolproof, but our whole approach to this is to not only schedule phishing campaigns, knowledge assessment quizzes, training content, it's to provide real-time intervention awareness,” says Burke. “So where we're going is that immediately in response to detected risky behaviour [we] deliver a fully contextualised message to that user, so they instantly become aware as to what was risky about what they just did because they simply do not know that it was risky, hence the problem in the first place.”

Cybersecurity awareness training for home and work

Part of the reason this approach has yielded very positive results is that it considers cybersecurity across employees’ whole lives, not just during the time they are at work. And company executives are increasingly recognising the value in this for improving the general culture of cybersecurity awareness. 

“They know that, as people themselves, when they go home if they're able to speak to their wife or their spouse or whoever it is, about 'I just learned this about how to do passwords' or 'this is how I learned how to check a website' or 'here's how to check and email or set a secure password', if they're able to talk about it at that level it permeates back to the workplace,” says Burke. 

“If employees are able to talk about it at home it permeates back to the workplace.”

“That is based on my experience as a CSO and how I would want to get the message across that's practical, useable, you can pretty much go home and use it. 

“That's how you create the awareness, that's how you get the buy-in and the support from the company to support your other initiatives that might be a bit hard to swallow, but because you've done such a good job in helping them, then that's key, so there's a myriad of aspects that are really engendering people to say 'actually, do you know what? This is really important'.”

Share this article