Cybersecurity: People and the Training Evolution

Posted by Kevin Hutchinson, CISSP on May 22, 2017 3:01:04 PM

The computer security landscape is constantly evolving, and despite our best efforts to secure our systems, threat actors still find a way to penetrate even the most secure environments —including the Department of Defense (DoD), NSA, Sony and RSA. Maybe you find yourself asking, “If those systems can be compromised, what can I possibly do?” The answer: remain vigilant.

The hardware and software that companies have purchased to secure their environments generally do exactly what they are supposed to do, keep the bad people out. Those systems, as complex and secure as they are, were built by people and therefore subject to human error. If that wasn’t the case, we would never have heard of a zero day exploit. A zero day exploit occurs because someone thought of a way of using a system in a way that the developers of that system did not or the developers took a shortcut when coding that left a hole in the software/firmware. The end result leads to a potential system compromise.

Security compromises have one thing in common – people. In spite of organizations spending hundreds of thousands—and even millions—of dollars to protect their infrastructure, the easiest point of entry for any threat is typically through an end user. In my opinion, one of the biggest mistakes a security professional can make is to discount the human factor and to leave “people” out of their overarching security model. I asked a number of people where they thought they fit in with their organization’s security posture and an overwhelming majority echoed two main sentiments; “that is a function of IT” or “it doesn’t really apply to me”. Both of those statements should cut to the core of any information security professional.

So, what does that mean? In simplest terms we have to consider “people” as the biggest gap in our security “gap analysis”.

So how do we close the gap? I don’t think we can close it completely, but we can certainly reduce it significantly and one way to do that is through continuous training. Most security training plans happen once a year and are delivered via web based training. While many of these training sessions can be quite comprehensive, the information they provide is soon lost amongst the day-to-day activities. That is evidenced by the fact that despite telling people for more than 15 years not to open an email from someone they don’t know and not to open attachments they were not expecting, they still do.

Generally speaking, these cybersecurity training sessions are geared to one specific audience and don’t take into account the multigenerational workforce we deal with today. From Baby Boomers to Gen Xers and Millennials, each has grown up with different levels of technology available to them and thus learn differently. Each communicates and learns in ways that are vastly different than the others and we have to modify our training approach to keep pace.

In an April 2015 white paper for Raytheon, Shina Neo stated, “To design an effective high consequence training program, organizations need to:

* Ensure content is accurate and relevant

* Find a balance between effective and efficient training

* Consider a design that’s transferable and applicable

* Understand the multigenerational workforce

I couldn’t agree more, and it looks like someone else listened, too. At a recent CyberSecureGov conference in Washington, D.C., Maj Gen Sarah E. Zabel, Vice Director of Defense Information Systems Agency (DISA), outlined a new training plan that is being implemented at DISA. The training now occurs

in small increments on a weekly basis with results tracked and compiled to meet the agency’s training requirements. This is revolutionary—someone finally understands that it is much easier to eat an elephant a bite at a time than it is to try and eat it in one sitting. The only challenge I see with this method is keeping the training interesting so it does not become rote. It certainly is not a silver bullet, but a great start in changing the way we approach security training.

Regardless of the training methods used for security awareness, the simple click-through, pass/fail training is wholly inadequate. Your employees may have passed the test and you met your annual training requirement, but you can’t stop there. If all you do is rely on the results of that once-a-year test, then your environment is ripe for an attack. In fact, according to PhishMe’s 2016 Phishing Susceptibility and Resiliency Report, “91% of cyberattacks and the resulting data breach begin with a spear phishing email.“

Just as our cyber security environments have evolved over time to meet increased security challenges, the way we train people in security awareness must also evolve. Hardware, software and attack vectors have all become more sophisticated over time—but has your security awareness training kept pace with the threats?

Contact the IGI team to learn more about employee security training and how IGI can help bolster your cybersecurity strategy.

Topics: Cybersecurity, Our Blog, security