Good cybersecurity training doesn’t mean pointing the finger

23 Feb 2018

Stephen Burke of Cyber Risk Aware. Image: Fergal Phillips

Stephen Burke of Cyber Risk Aware on why security training should empower workers.

The cyber-threat landscape is constantly evolving and it can be difficult for even the most seasoned CSOs and CISOs to keep up with the ever-expanding list of dangers.

Consider, then, that the average employee’s awareness of issues and risks is usually somewhat lower than those tasked with looking after cybersecurity.

Future Human

Cybersecurity training should be ongoing

Much of the existing cybersecurity training out there consists of a 40-minute programme completed by staff once a year, a compliance exercise and nothing more. Stephen Burke, CEO and founder of security start-up Cyber Risk Aware, explained to that the human risk factor in organisations is often to blame for data breaches and other cyber incidents.

As a former CISO and leader of global security programmes, Burke has seen firsthand how human error can cause massive problems. “No matter what we would have done technically to implement security measures, be it firewalls or antivirus, we still kept coming across people doing things they shouldn’t do.”

People are the weakest link

He explained that cyber-criminals target people as “they know they are the weakest link in the security chain and the problem is, people tend to think that because a company has invested in technical solutions, they are protected – but they are not”.

Natural human curiosity, a tendency to not think badly of others’ intentions and a certain willingness to click on emails makes it easier for criminals to take advantage.

Phishing attacks are a perfect example of bad actors leveraging human vulnerabilities to scam organisations and individuals alike. Simulated phishing training for teams can have major benefits if approached in the right manner.

Human firewall

Burke said training should be about “enabling people to become part of a human network of sensors, a human firewall”. 

An advocate for continuous assessment rather than reactive training after an incident, he said clients usually need training in core topics such as passwords and using two-factor authentication as well as email security lessons. 

Continual assessment, Burke said, allows organisations to empower their staff and get a proper baseline measurement of their personnel’s security literacy. Continuous re-examination will also allow managers to spot people who continually make mistakes, and ask them if there is anything they need a refresher on.

He continued: “You have to help staff. Pointing the finger is counterproductive.” With a simulated phishing attack, “you can help someone feel like they have fallen victim without the consequences, and there’s a dramatic reduction in risk”.

As well as keeping your organisation secure, training also benefits your staff at home and in their personal lives, armed with new knowledge they can pass on to others.

For Burke, a technology-only solution will never be fully effective. “Cybercriminals are targeting everyone and every sector, so focusing on people is no longer optional – it’s mandatory.”

Context is key for Burke when it comes to cybersecurity education. Once people are informed of the risks, “they are prepared to support you as a CSO. But you have to help people understand and contextualise the threats.”

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects