Having finished 2017 with a blog about allocating security spending, we’re starting the new year on a similar note. Specifically, it’s about investing in security awareness training. Harvard Business Review argued that better training is the best security investment a business can make. Its choice of word was deliberate: businesses need to see security training not as a cost but as an investment.
The problem to date is that the security industry hasn’t always been effective at measuring controls. This has made it harder to justify spending. In fact, the HBR article acknowledges that training will incur a cost upfront. But, it goes on to say: “it can be cost effective over time, particularly when compared to implementing cutting-edge cybersecurity technology that may become obsolete.”
For the business, it may help to think of security training in terms of other programmes for health and safety, anti-money laundering or ethical behaviour. At BH Consulting, our advice is to start developing a rounded security training programme using these four steps.
Training needs to be an ongoing effort rather than a once-yearly PowerPoint deck that most staff will quickly forget. It won’t be effective if it’s just a standard template that’s supposed to meet compliance requirements.
As with all good security initiatives, training should be risk-based. But unless an organisation already knows where its weaknesses are, it’s best to begin with a generic training programme. Over time, the business can then adjust the training modules according to its risk profile and its experience with incidents.
We encourage phishing training for users. On the plus side, it’s highly measurable. When staff members take a phishing test for the first time, it establishes a baseline for the percentage who would fall for a fake email. The next time the test runs, it’s easy to see how many users spot the scam, and assess progress on that basis. This kind of training is very useful given the prevalence of scams like CEO fraud and phishing. But we caution that this only addresses a particular risk. It’s not a substitute for a broader security training programme.
Ultimately, organisations should build a security awareness training programme that reflects their specific industry and the appropriate threats to it. This needs a process of identifying where their own weaknesses are, and creating training to address those risks. For example, employees may be leaving the doors open to the smoking area – creating a physical security risk – or they may be using insecure passwords. In either scenario, a phishing awareness programme, though useful, won’t improve either behaviour.
Ultimately, training is about changing behaviour. Security teams should develop programmes and simulations that focused on behaviour they want to encourage within the workforce. This includes both positive behaviour they want to promote and negative actions they want to discourage. That’s something security professionals have struggled with in the past. As noted in our Irisscon roundup, security people are often quicker to call out user failings than to empower staff with positive messages.
Training should encourage a culture of better security rather than meeting a compliance requirement for having training in place. The risk is that, if done badly, a poorly designed or scoped training programme could alienate users from security.