We’ve all sat through mandated cybersecurity training that essentially consists of a video and a short quiz that end users must pass to keep in compliance with organizational standards.
While those trainings are usually enough to cover the basics, today’s cyber attacks are evolving so fast and are becoming more sophisticated than ever before, requiring IT departments to provide more robust cybersecurity training for end users and increase their level of engagement with the rest of the organization.
As we continue to transition toward a more remote and hybrid workforce, ensuring a tight relationship between IT and end users will remain critical, says James Stranger, chief technology evangelist at CompTIA.
“That changes the attack surface of a company, and accordingly, it changes the techniques and the opportunities the bad guys have, Stranger says. “And, they’re getting more organized.”
IT & end users need to reconnect
For IT and end users to get along and operate on the same sets of rules and best practices, they need to repair their relationship, Stranger says.
This divide between IT and end users had already existed before COVID-19 and remote work, but that has been exacerbated with IT professionals having a much harder time gaining visibility into the struggles of remote end users.
According to Stranger, this explains why end users aren’t fully aware of the immense amount of cyber risk that comes with simply doing their job. The sense of responsibility when logging onto a corporate network on a corporate machine has been lost somewhere along the way.
“Back in the day, you needed to learn stuff,” Stranger says. “There were certain responsible practices you had to learn.”
According to a recent study from cybersecurity company Kasperskyv, 52% of businesses surveyed said their biggest weakness in networks security is their employees, with careless actions putting the business at risk.
The study also found that businesses feel more vulnerable about cyber risk that involves end users, as sharing data via mobile devices, losing company-issued devices and inappropriate IT use by employees makes up the top three fears businesses have when it comes to IT risk.
Now, with phishing and social engineering attacks proving to be an effective method of gaining initial access to a company’s systems, user training and awareness is extremely critical.
“End users are now the primary way that bad guys get in,” Stranger says.
Training & awareness need to evolve to keep pace with sophistication
Simply having employees watch a video once a year and answer basic questions is the bulk of cybersecurity training for too many businesses. Instead, businesses need to base cybersecurity training on real-life scenarios and bake it into and end user’s regular scope of work.
“The idea is to have training throughout the year and make it organic to the organization,” Stranger says.
Stranger suggests instituting cybersecurity training from a policy perspective. Instead of the IT department or management mandating routine user education, awareness and training should become an organic part of the company.
Cybersecurity defenses like antivirus, firewall, multi-factor authentication, and more can only do so much in the face of a growing threat to every business.
According to CrowdStrike’s Global Security Attitude Survey for 2020, cyber attacks are growing in scope and sophistication.
The survey of 2,200 senior IT decision makers found that 56% have reported a ransomware attack in the last 12 months, a significant increase over the 42% reported in 2019.
CrowdStrike’s survey also found that IT experts report growing fears of nation state attacks, and that was born out in recent months with the SolarWinds Orion compromise and other high-profile attacks from foreign entities.
“We’re not talking about silly emails that you can pretty much dismiss,” Stranger says. “We’re talking very sophisticated efforts now.”
How to increase end user participation in cybersecurity
Learning about and responding to cyber incidents doesn’t just have to the job of IT or security teams.
If organizations increase awareness, the entire company can benefit from each employee having the same basic knowledge and skills needed to detect an intrusion.
According to Stranger, organizations can increase engagement and participation in cybersecurity training in several ways:
- Constant training and education. The days of watching instructional videos on cybersecurity once a year should be well behind us. Cybercriminals don’t attack just once a year, and they’re constantly changing their methods to attack workers where they are. If organizations want to keep pace, training should be a routine part of work.
- Gamification. IT departments and managers can set up scenarios in which fake phishing emails or ransomware attacks are sent by the IT team to end users who compete with one another to catch the attacks first. This can be a fun and effective way to increase engagement while educating end users on what to look for.
- More technology education. The average end user doesn’t know how their technology works, and they don’t care. However, knowledge about how internet browsers work can give them the knowledge they need to be more aware of the cyber risk.
- More insight into the attacker. End users are told to watch out and be vigilant against these attacks, but they don’t know anything about the attacker and what information they’re after. IT managers and security professionals should better explain a cyber actor’s motivations, which in turn can help end users avoid actions that might expose themselves to those areas of risk.
Above all, however, organizations need to find a way to bake cybersecurity awareness into their company culture – from the top down.