Mark Lanterman | March 22, 2019
Employees need training when it comes to recognizing potential cyber threats. They should be on notice that, no matter their position within an organization, they too are responsible for doing their part in maintaining security standards and following proper reporting protocols.
Consider this real-life example. An organization in Scotland is suing an employee for failing to spot a CEO spoofing scam, but the employee claims she never received any real training in how to recognize fraudulent emails. 1 Though the employee appears to have acknowledged a brief warning, this case demonstrates the need for organizations to clearly and consistently set expectations when it comes to cyber training and awareness.
When it comes to training programs, employees often express the same kind of nonchalant attitude that pervades the entirety of their organization's mindset on cyber security. If cyber security culture is not prioritized, employees are not going to pay particular attention to a deck of slides and a short true-or-false quiz at the end to demonstrate their "mastery" of the material. In the case of the Scottish employee, her organization insists that she clicked a box acknowledging that she had been warned about the threat of CEO spoofing. When cyber security efforts are merely boxes to be checked, it is unclear how much more useful they are than nothing at all.
Cyber security awareness and training must be personalized. Namely, employees need to be provided with the tools to develop knowledge to achieve a better understanding of the critical cyber threats they come into contact with every day. More complex technologies, newly implemented systems, and harder to understand technologies, such as cloud infrastructures, may require specialized training for specific stakeholders or responsible parties. While training may not look exactly the same for each employee, compliance with security protocols and procedures should be.
Perhaps unexpectedly, compliance with security protocols should strengthen and support an employee's ability to think critically and have a questioning mindset. In an organizational setting, it may seem counterintuitive to expect employees to take on a critical eye. But once an employee has received training of relevant systems and procedures, a questioning employee is going to have a better chance of spotting red flags and knowing when and how to report them.
Training programs should emphasize the need for employees to trust their gut when it comes to suspicious activities and act with caution even if something seems to correlate to company policy. Recognizing the type of CEO spoofing email mentioned at the outset is a good example.
Training must evolve and be administered with the understanding that technology changes regularly as well as your organization's usage of technology. Just as security procedures must never be a "set it and forget it" affair, continuing education also needs to reflect policy.
The usefulness of different training programs should also be assessed regularly. It is possible that with this sort of feedback, it would have been understood that having an employee check a box is not an effective training tool in acknowledging emerging cyber threats. Instructing employees on where to find relevant cyber security policies is also important in ensuring compliance as well as providing a point of contact for all related questions and reporting. This responsible party may also be the individual held accountable for evaluating compliance, the usefulness of certain training programs, and assessing when changes need to be made and retraining needs to take place. Communication is key when it comes to keeping training useful and not a checked box formality.
To ensure that training remains a priority and that initiatives are funded adequately, cross-organizational communication channels need to exist. Knowing what key threats an organization faces as well as understanding which assets need to be most protected are impossible tasks without interdepartmental communication, especially with the information technology department. Cyber security leaders within an organization must also be sure to keep upper management apprised of what is considered most important when allocating cyber security resources. In the case of the company in Scotland, in-depth training sessions focusing on the "human element" of security and the threat of social engineering attacks might have prevented the disaster.
While the jury is still out as to whether or not a lack of adequate training or negligence is to blame in the case of the employee falling for a CEO spoofing scam, either way, it points to an increasing need for organizations to implement, and strongly document, their training and education programs for their employees. Ultimately, the effectiveness of a training program is only going to be as strong as the overarching attitude toward cyber security that an organization has. Additionally, employees need to recognize their individual responsibility for upholding their organization's cyber security protocols. When it comes to cyber security, everyone is a stakeholder.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Footnotes