Halfway through Cybersecurity Awareness Month, private and public sector organizations worldwide are thumbing through suggestions from experts for the annual observation, trying either to get some energy into tired training or getting ideas for their first efforts.
One Canadian thinks it may be time to retire the annual observation.
“It should be ‘Internet Safety Year’ because security is everyone’s responsibility,” said Terry Cutler, head of the Montreal consultancy Cyology Labs. He argued that there are new threats weekly, so it’s hard to stay vigilant if your staff’s attention span is only one month.
Cutler was one of five experts we interviewed on what managers and IT pros should be doing to better their awareness training.
A veteran penetration tester and incident response expert who has seen the aftermath of many data breaches, Cutler is unsparing when asked who’s at fault for the poor state of many organizations’ cyber defences.
“I think the biggest problem is users don’t care. They don’t own the business, and they likely assume if they make a mistake, IT has it covered. They’re not getting enough training. They’re focused on productivity and getting revenue.”
IT in general, and cybersecurity in particular, is underfunded by management, he added.
“I think the world wants an easy button. Push this button and I’m protected. They want a Black Box.” But cybersecurity is expensive, he said. “The problem is if you don’t spend that money now you’re going to spending on a data breach. It will be way more expensive.”
He said regular awareness training is key to stop end users from the most common cause of breaches, clicking on bad links in email and text messages. Many employees still don’t know how to hover their mouse over a link for signs it may not be legitimate, Cutler added.
Robert Gordon, executive director of the Canadian Cyber Threat Exchange (CCTX), isn’t as glum. Asked about the state of cybersecurity awareness in this country, he said that “we’re on par with similar-sized countries.”
Businesses are increasingly becoming aware of its importance, he said. One sign: More organizations are joining the exchange. Another is that more organizations are participating in programs offered by the federal government’s Canadian Centre for Cyber Security. Gordon also hears that more organizations are interested in cyber insurance. That’s significant, he said, because applicants know to get coverage so they will have to tighten their security.
“Companies have to realize that cybersecurity is a business operation issue, it’s not just an IT issue, he added. “They’ve got to treat this as any other part of their operations and risk. That means the business side has to discuss with the IT side the implications of a cyber attack.”
Management has to understand that if a cyber attack brings the business to a halt that’s a business risk issue, he said.
The goal has to be resilience. “The measure is how quickly businesses adapt to those evolving threats. So you increasingly make it harder and harder for the attacker to be successful. You keep upping the cost to the attacker. You want to make it really expensive for that attacker to come after you by spending more resources.”
Regular phishing tests are very effective at raising security awareness, said Farooq Naier, CISO of Ontario’s Orion high-speed research network and for the Ontario Cybersecurity Higher Education Forum, a group of 29 universities and colleges. “It’s a way of telling us how effective awareness is because you won’t be able to gauge the level of awareness until you test. For most people going through cybersecurity awareness sessions or watching videos or completing questions is not that interesting, or perhaps they’re distracted, so making sure security awareness is ongoing and they’re aware of ongoing scams and testing is important. The threat landscape is evolving — we see new ones every day, and awareness campaigns should evolve as well.
“It should not be a one-time thing. It should be ongoing.”
“I used to conduct lots of in-person training. I know in the current situation that’s not possible, but I think getting the attention of the end-user and getting them to realize what the current threat landscape is and what to watch out for is very important.
“The message has to be designed to be simple, straightforward and communicates the message in the simplest possible way. If it’s overly complex things will be lost in translation.”
Like Cutler, Scott Wright, CEO of Ottawa-based Click Armour, which makes a security awareness gamification platform, said one problem with cyber awareness is most employees don’t think it’s their job to know about security. “They weren’t hired to learn security, they generally find awareness training boring, and it can be complex.”
“If they’re not engaged they’re not going to learn and not going to be able to defend against threats,” he warned.
What’s vital, he added, is getting employees up to speed on basic security skills, such as how to detect suspicious emails. After that, staff needed to be regularly updated on the latest threats to the organization.
While some experts think cybersecurity training should happen once a quarter, Wright talks in terms of “continuous cybersecurity awareness.”
He believes the biggest mistake management makes is dumping the responsibility for awareness training on the IT department. “Cybersecurity is much less a technology problem than a social engineering problem,” he said. “Who should be responsible for what people learn depends on the business. It has to be aligned with the risks around the business itself.”
The second biggest mistake is putting a big course in front of staff. “I’ve seen huge companies ask, ‘Can you make an awareness program for me. It has to cover 10 different areas of security: anti-malware, passwords, social engineering, WiFi, mobile — and it has to be done in 20 minutes by a user.'”
Managers must realize that people need time to absorb new material and time to practice what they learn in order to reinforce it, he said.
Training also has to vary, so it doesn’t get stale, Wright also said. Often he hears employees complain about having to watch the same security video or PowerPoint presentation every year.
Dan Callahan, cyber training director Capgemini North America, also believes awareness training in some organizations is stagnating. “I know a lot of the training is centred around, ‘Don’t click here, don’t do this,'” he said in an interview.
“We may have to start changing the approach. It’s just like anything — when you start hearing it over and over, and [management] is more into compliance training, you start to become numb to it.”
Awareness isn’t only about the end-user and phishing attacks, Callahan said. It’s about creating a culture of awareness across the organization, getting employees to understand what it means to the business when mistakes are made.
Training also has to be tailored to each organization, he added. A firm where all staff work in an office is different from a plant where internet-connected industrial control systems run machinery. Factory-floor workers have to understand cybersecurity is part of their safety knowledge, he said.
“Each of us has to become security advocates, so the security is in the individual. To do that, you have to understand what attackers are doing and why.”
Finally, Callahan said management has to lead. “No matter what part of the organization you’re in, you should always be speaking about cybersecurity.”