Cyber Security Awareness Month: Canadian firms not training enough, says expert

Oops! That’s the word infosec pros don’t want to hear from an organization’s staff. But after years of warnings, pleas, posters, online training, video training and email reminders, they’re hearing it more often than ever.

Employees are still clicking where they shouldn’t, using unsafe passwords, re-using passwords or uploading sensitive data to cloud storage sites.

And if that isn’t enough sometimes IT staff who should know better wrongly configure something.

So with today marking the start of the annual Cyber Awareness Month, it’s more important than ever that information security professionals look hard at what’s not working in their organizations: Are they doing too much awareness training, too little or going about it the wrong way.

For one industry analyst, the evidence is clear: “Canadians are not training their employees nearly to the extent they should be,” says David Senf, founder Cyverity, a cyber security research and consulting firm, and former IDC Canada analyst.


Experts say to be effective messages about cyber security awareness have to be delivered in some way at least once a quarter. But if a survey of 200 companies this year conducted by Cyverity is representative, nearly seven out of 10 (68 per cent) Canadian organizations only train one-quarter of their employees about cyber security tools and best practices on an annual basis. Only one out of 10 (11 per cent ) organizations train the majority of their staff annually.

In a survey released earlier this year by solutions provider Scalar Decisions, Only 26 per cent of the 421 IT security and risk and compliance professionals questioned said their organization has formal training showing staff how to identify attacks such as phishing.

Experts also say messaging has to be varied to avoid employees getting bored. So mix up staff meetings on awareness with quick videos on the company intranet, posters, keychains and prizes for passing tests.

But, Senf adds, “it’s not just about ‘Go take some training’, or ‘Use the password management tool,’ but being able to work with them to improve competence. And think about their commitment level to security.

“Even when training is given, it needs to be tracked and followed over time to understand where they [staff] are at.” The tracking doesn’t have to be in spreadsheets, he adds, but managers should have at least a rough idea of their employees’ knowledge – including whether they understand what sensitive data is.

Four types of employees

He figures there are four types of employees: Enthusiasts, Egoists (high competency to help an organization and be more secure and will use the right tools), Denialists and Defeatists. Enthusiasts want to do the right thing. If they receive the right training and the organization has useful security tools then they are unlikely to become Defeatists. Senf said. Denialists have had training but their commitment is low or has dropped off because the security-related processes are too hard.

For staff who have the security competency but not the commitment, he said, it’s the responsibility of senior management to push: ‘We need you do to this, and here’s why.’

The burden shouldn’t be on the security team’s shoulders, he adds. “Today if you ask an audience who are the security pros, everyone should be raising their hands – it should be developers, end users, in addition to the traditional security pro. It’s getting everyone on board with that.”

“When you think about what differentiates an organization that suffers fewer breaches from others … one of the key variables is leadership. What leadership does is establish a culture, which creates that commitment level [to security], that desire to be more competent.”

Senf also said infosec pros also have to make sure they don’t contribute to security problems by choosing products with poor usability.

Make it fun

He offers one more tip: Make awareness training fun. That’s what a Canadian insurance company he won’t name has done. “It was all about culture and trying to get people excited” about cyber security. Gimmicks include the awareness team periodically walking around the office with funny hats or goofy clothes and giving advice: Here’s how to use this software, here’s some password advice.

“By doing that they’re embedding themselves with the average employee, getting out their cubes and being a force, a presence with their fellow employees.”
Often, employees are literally distant from the security or support team, Senf said – “on the other side of the wire,” is his term – and they seem less aware of the frustration level of the average employee.

Making awareness fun in this case wasn’t about technology, he concluded, but about people.

Finally, experts agree there are many things CISOs can do to reduce the consequences of employees making mistakes. First among them is identity and access control, including the use of two-factor authentication. Second is applying software security patches as soon as possible.

(Throughout the month IT World Canada will feature articles on how to raise security awareness.)

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now