Cyber security training doesn’t work!

A somewhat contentious title to this month’s article. However, please don’t shoot the messenger – this is the reality! With household name firms getting hacked and ransomed – apparently at an alarming rate – cyber security is no longer the “problem of the techies in IT”; it is now the number one risk facing the Board.  

Cyber security insurance premiums haven’t just “gone up with inflation”. They have, in many instances, increased tenfold or more. And that’s for firms who haven’t made a claim, are ISO 27001 certified, and do all the right things! For firms who are less diligent, goodness only knows what premium increases they now face – if indeed they even bother (or can afford) to insure themselves. Some firms’ customers demand they have insurance, so they have no choice but to pay the escalating premiums, passing on the costs to the eventual customer(s).

In 2023, Royal Mail, Twitter (X), T-Mobile, and even the British Library were taken down by a crippling ransomware attack that rendered their online and onsite services inoperable.1 The list goes on – and is formidable. In fact, GOV.UK estimate that, across all UK businesses, there were approximately 2.39 million instances of cybercrime and approximately 49,000 instances of fraud as a result in the last 12 months.2

Looking at the organisations listed above (and there are many more), it is ridiculous to think that they would have dismissed cyber security as an unrealistic threat, didn’t invest in the latest technology, didn’t repeatedly train their employees, and didn’t run a variety of ongoing ad hoc simulations. Of course, they would have! So how come they still got breached?

How many employees would regard themselves as being “at war” with cyber criminals? 

According to a 2023 report by UK Parliament, an estimated (and alarming) 95% of successful cyber-attacks are facilitated inadvertently due to human error. This includes ‘active’ errors, such as opening attachments in malicious emails, and ‘passive’ errors, such as using weak passwords 3The really ironic thing is that the majority (78%) of Chief Information Security Officers (CISOs) in the UK agree that human error is their organisation’s biggest cyber vulnerability.4

How are statistics like these even credible? How is it that employees – despite receiving (often) repetitive and continual training – still manage to make what many analysts would regard as remedial cyber security errors, inadvertently exposing the employer to increased risk and – depending on the sophistication of the hacker in question – provide an open door into the employer’s data and systems?

One answer is ownership. Quite simply, employers have viewed cyber security as an “IT issue” and assigned the IT function with the problem of solving it. Certainly, cyber defence technology plays a part in a robust cyber security strategy, but in and of itself, it is not the definitive answer to countering a rapidly escalating and ever-changing risk.

Another answer is complacency. With IT “owning the issue”, (and let’s face it, it’s an issue that many regard as “technically sophisticated” and don’t profess to understand), the rest of the business can seemingly relax, safe in the knowledge that the experts have it covered.

Another answer might be impact. We all know a successful cyber-attack is disastrous to any business. Yet, many executives are insulated and far removed from these often-theoretical risks until it happens to them and their business – and by then, it’s too late!

Finally, let’s address the answer of training. The cyber security employee training strategies deployed by most employers are completely ineffective. No matter how well the IT function deploys technology to shield the employer, incompetent employees are going to continue to leave the door open and put the business at risk. The data speaks for itself. Nine out of ten successful attacks occurred not because the IT function didn’t have the right software and policies in place, but because an employee left a metaphorical door wide open for a hacker to walk through and raid the business.

So, why is cyber security training not working?

There isn’t a single silver bullet. The reasons are interrelated and need to be viewed holistically. But if I had to summarise what is wrong with 99.9% of employer cyber security training regimes, I would say it entirely ignores the job to be done and focuses on the wrong outcome.

The job to be done is to transition what is, in reality, a firm’s biggest Achilles heel – its workforce – into a constantly vigilant first line of defence.

How many employees would regard themselves as being “at war” with cyber criminals? Ignoring those specialist roles in IT, I would suggest almost none. This is the bar you need to exceed. You need each and every employee to understand that you are literally at war with these criminals. Employees need to be constantly vigilant, question everything they do, always be on their guard and remain constantly suspicious.

All a bit dramatic? Have a chat with an executive or senior manager of a business that has been subject to a successful cyber-attack; they are highly likely to use similar language. They know first-hand just how damaging an attack can be. Some firms will have faced financial ruin as a result – with all employees losing their livelihoods. Try telling these people that referring to cyber security as a war is “being a bit dramatic”.

So, you need to train your employees. Now, you will argue you have already done so, yet I will keep coming back to the point about outcomes. If you are not training for the right outcomes required, your training will fundamentally not work. You need to teach employees the theory, but you also need to ensure they translate theory into in-role competence – and you need to verify that competence is being maintained. Cyber security awareness needs to be made personal and relevant to each individual to ensure that processes and policies are adhered to. C-Suite must lead by example and have a zero tolerance for anything other than complete buy-in and support of every individual in the firm. Remember: it only takes one single tired, stressed, lazy or slack employee to open the door to your firm.

So, the question is: just how does a firm go about completely transforming the culture of the business in relation to cyber security? How can we solve the problems discussed above and work to maintain a constant state of appropriate employee vigilance?

At Elephants Don’t Forget, we would suggest the following are pre-requisites to achieving this objective:

1. C-Suite buy-in and leadership.

1. Stop ticking boxes.

1. Continually test relevant competence.

1. Make it intensely personal.

1. Make it your number one mission and not the latest management fad.

1. Talk about the war, all the time.

So where does training fit in? I haven’t even listed employee training as a pre-requisite. That is because traditional training really has very little to do with the above six points. What is required is a completely different approach.

1. C-Suite buy-in and leadership.

If employees do not see their leaders treating this subject with at least the same degree of seriousness that they are being asked to, they won’t go to war. It is simply unacceptable that senior managers and leaders pay lip-service to cyber security, deferring training to their executive assistants to do on their behalf, pulling rank and breaching policies because it is easier – and they can. These actions and activities completely undermine an authentic and robust cyber-defence strategy. How can you go to war if the generals and senior ranks don’t even participate!

1. Stop ticking boxes.

Far too much emphasis is placed on the completion of training and pointing to near-perfect, or, indeed, perfect- post-training test results, to prove learning has occurred. Obviously, learning has not occurred. If the brain learned in that way, we wouldn’t bother sending our children to school for 12 years! We would all be subject matter experts in any subject we choose, simply by consuming some training and taking a little test at the end. Pretty much every employee and manager knows this is the case – and every L&D professional has known forever! But firms have been caught up in a race to the bottom, preferring to measure lowest cost of training delivery over the desired competency outcome.

1. Continually test relevant competence.

Authentic competence is rarely assessed. Certainly, it is not continually assessed by all firms. By continually, I mean habitually. Cyberthreats evolve daily, thus assessment of employee competence needs to follow suit. This must happen if the employer is to be confident that every employee is competent and therefore able to form part of an effective first line of defence within the firm.

1. Make it intensely personal.

We pay attention to what is personal to us. Historically it has been expensive and time-consuming to entirely personalise employee training. But personalise it you must. Equally, presenting examples of cyber-attacks in firms that have no relevance to an employee’s day-to-day work is unlikely to register. Why not use examples from your own business. You probably harvest and prevent numerous attacks every week. Share these cases with your employees in a meaningful and personalised way.

1. Make it your number one mission and not the latest management fad.

Eon, the German energy giant, had an employee safety issue. They solved it by making sure that the number one agenda point for EVERY meeting and staff gathering, whatever the subject, was employee safety. The program was called “One”, in reference to the number one agenda point. Eon went to war on unsafe working practices and soon became renowned as perhaps the safest working environment within the industry. What gets measured continually gets done.

1. Talk about the war, all the time.

You can’t pick and choose. You are at war now, whether you like it or not. If the war was less latent and more physical, then the idea that it wasn’t a source of continual dialogue in the business would be unfeasible. Everybody would be talking about it all the time.

Elephants Don’t Forget can help…   

All of this is possible with the help of Artificial Intelligence (AI) called Clever Nelly. The AI in Clever Nelly enables employers, large and small, to treat every employee as an individual to ensure that theoretical training is genuinely learned and retained, and that this is then translated into genuine in-role subject-matter competence.

In addition, Clever Nelly assists senior leaders to reinforce the seriousness of the war and to overtly lead by example. Nelly allows any business to share examples of real-life attacks in their own world, and, because she is “always on”, the war is kept front of mind for every employee.

Clever Nelly is easy to deploy and manage, low cost, award-winning and – best of all – it only takes about one minute of every employee’s working day to engage with. In a war, nobody is too busy to spend one minute to make sure they are not the weakest link within the firm.

And, of course, Nelly is agile and hard-working and can concurrently address a number of learning issues an employer may have, including compliance, performance improvement and employee risk reduction.

You could wait for a cyber-criminal to successfully attack your business before you accept you are at war and respond accordingly. Or you can get on the front foot and solve what is undeniably the biggest threat your business faces today: the lack of engagement and competence of your employees.

 

1. https://www.infosecurity-magazine.com/news-features/top-cyber-attacks-2023/
2. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023/cyber-security-breaches-survey-2023
3. https://commonslibrary.parliament.uk/research-briefings/cbp-9821/
4. https://www.statista.com/statistics/1259552/ciso-human-error-organization-cyber-vulnerability-by-country/