Avoiding being scammed with cybersecurity training

One thing which people keep asking me about is what do I think about certain cybersecurity courses which they have seen advertised. In recent times the number of these courses seems to have mushroomed. While many of the courses which I investigate appear to be legitimate and useful, I have been noticing a worrisome trend where fraudsters and tricksters seem to be hopping onto the cybersecurity training bandwagon at an alarming rate.

While I have discovered tons of great cybersecurity training opportunities, (especially since Covid-19), there are a number which my conscience forces me to say to people “Run, run hard!” So how can we navigate through this maze of cybersecurity training offerings?

One thing you should be aware of is that you can’t judge a course based on its great marketing and promotion. Some people have a knack for advertising their offerings, and sometimes find a way to do a lot of advertising cheaply. I actually find that some of the most advertised courses are among the worst, in terms of quality and value.

Another thing which you should watch out for is the pricing of courses. In the past the quality of a course was usually linked to its cost, but in the last two years I have seen some unknown, low-level, non-certification courses from unknown companies which cost more than reputable, advanced-level, certification courses from training giants like SANS, ISC2, and ISACA! I suspect that the people behind the courses are trying to make them look good by pricing them exorbitantly. At the same time, some of the most reputable cybersecurity training companies have drastically lowered the prices of some courses, in an attempt to boost the number of good guys in the cybersecurity fight. We therefore can no longer judge the quality of a course by its cost.

So how can we judge these offerings? Here are a few suggestions –

Research the company behind the training

Googling is a quick and easy way of finding out about a company. It can tell you who owns the company or is affiliated with it. It can also indicate if it may be a fly-by-night operation, or a company which is now starting out. Sometimes a telephone call to the company can even alert you to the fact that it’s not a training company at all. ?I remember once a foreign company approached a government offering a sophisticated range of cybersecurity services, for some serious money. A bit of searching on the internet revealed that the company wasn’t into cybersecurity at all, but rather was a producer of PPE – gloves, masks, gowns, etc. They apparently were hoping to make a killing from that particular government.

You must however be careful in your searching that you don’t limit yourself to content created by the entity being researched, such as their website of LinkedIn profile, but you should focus on independent content, such as from a magazine, journal, online newspaper, or industry sources. If your research shows that the company is not into cybersecurity training, or that it isn’t even into technology or risk management training, that is a red flag.

That being said, please be aware that sometimes tricksters align themselves with reputable-sounding organisations, which then lend an air of credibility to them. I have personally witnessed this on more than one occasion. While some training partnerships are quite o.k., it is useful to check out the terms of the partnership. In some cases the well-known and trusted partner has virtually nothing to do with the actual training, and knows very little about the trainer’s competence, character, or track record. It should also be noted that while some organisations may be reputable, they may not have any relation to technology, security, or education. If a construction company or insurance company for example, advertises cybersecurity training, please ask yourself why.

Research the claims being made by the training company

If the training company makes claims which sound too good to be true, check out its claims carefully. If it guarantees a 100% pass rate, the course may be very low quality, or may involve some level of unethical behaviour on the part of the company delivering the programme. If the training company promises to make a cybersecurity novice into an expert after only a few months, you know it’s a scam – it takes a number of years to develop expertise in cybersecurity. If it promises to make someone who doesn't know cybersecurity into someone who can get a high-paying cybersecurity role after less than a year, be suspicious – no sensible organization will place an inexperienced person in a senior cybersecurity role. Go on the internet and see what people are saying about that company. If it claims to be an international? training company, but not even cybersecurity people in its home country have heard of it, be careful. When you see claims about a course being highly sought after, but none of the job sites have that course listed as a requirement for a job, that's a red flag.

Research the trainers

You should never pay for training where the trainer isn’t knowledgeable in the subject, or is unskilled in training. Googling and checking LinkedIn is usually helpful here (once we realise that persons are free to put anything in their profiles) . Check the resume, looking for experience and certifications in cybersecurity. Also look for experience in teaching or training. If the trainer isn’t certified or experienced, tread carefully. If the trainer only has entry-level cybersecurity certifications, such as Certified Ethical Hacker (CEH) or ITIL Foundation, but is proposing to teach a high-level course like CISSP, CISA, or CISM, running away would not be unwise. If the trainer has a rap sheet for fraud or theft, that is another red flag.

Check out the credentials behind the trainer’s name if you have any doubts about her or him. I have known persons to stick impressive-looking letters behind their names, but it turned out that they didn’t hold the credential, or , worse yet, the credential didn’t really exist. People have also been known to claim to have degrees which they didn’t have.

You should also check the eligibility of the trainer to teach the course. If the course is a well-known course where only authorized? training companies are allowed to teach the materials, check that the training company is listed on the course's official website. I remember years ago a local company offering official training from one of the big tech giants, and charging the official prices. Students turning up, however, found that instead of getting the official training materials, they were supplied with cheap-self study guides. The trainer also proved to be less than the expected quality – he merely read the self-study guide word-for-word.

Research the course being offered

One question to consider about a cybersecurity course, especially an expensive one, is if it’s certified, e.g by the ISO/IEC 17024 certification scheme. Top cybersecurity training organisations work to get their courses, especially the high-level ones, certified to these sorts of international standards. International certification of a course is a guarantee that once you pass the course, the printed certificate will be worth more than the paper it is printed on.

Many people provide training for common courses, such as CEH, Security+, CISSP, CISM, and many others. Go online and see what various persons charge for such courses. If you are being asked way more than the market price, start asking some questions. Also check the official website for the course to see what are the entry-requirements to do the course. If the official website says that you need certain prerequisite training or experience, but the person offering you the course says that there are no requirements to sign-up, you know what to do.

Sometimes people can change the name of a course, to avoid copy-right infringement problems, or simply to hide what the course really is. It may take a bit of digging, but sometimes you can find that the course as a copy of an existing course. Generally, the real course will be more prestigious and reputable, or may even be cheaper than the copied course. I have even come across a case where someone ripped of a quality brand-name course and charged a ridiculous amount of money to the unsuspecting students. As it turns out, the brand name course was actually being offered absolutely free at the time, so the students could have done it one their own without paying.

The bottom line is, you must do your due diligence before agreeing to pay for cybersecurity training. As I might have said, if I had taken Latin at school, ?“Caveat emptor!”. Since I didn’t do Latin, I will say instead “cybersecurity is too hard and too important to waste your time and money on bogus or ridiculously-overpriced training.”

?

?

?