The strongest link in cyber security: Your employees.

Employees are often described as an organisation’s “weakest link”, but they can actually be the strongest line of defence. Cultivating an open, transparent and supportive security culture offers multiple benefits, including better cyber risk management and organisational resilience. But a key part of this is ensuring employees are trained to deal with today’s complex threat landscape.

This is not as simple as it sounds. In 2021, 82% of breaches took place due to human error via stolen credentials, phishing, misuse or simple mistakes, according to the Verizon Data Breach Investigations Report. Many of these breaches could have been prevented if employees were better trained with the skills required to protect the business.

Typically, cyber security training programmes take place every few months using a set combination of tools such as phishing tests and quizzes. But this approach often fails to take into account that a one-size-fits-all programme doesn’t work for everyone. People have different training needs depending on their job title, personality type and learning style.

When you work in the cyber security industry, it’s easy to forget that many people find the subject dull and boring. To manage risk, firms need to find a way of making cyber security interesting and relevant to all individuals. So, how can this be done?

Changing attitudes

To boost resilience and shore up defences, organisations’ attitudes need to change. It’s easy to blame employees when a breach does happen, but it isn’t a people problem, it’s a training issue. If employees don’t have the necessary skills, how can they be expected to react in the correct way?

In many cases, building a security-aware and engaged workforce requires a complete overhaul. Too many organisations simply roll out the bare minimum needed for compliance, training employees every few months. But typical security training modules fail to address the real issue: Breaches are happening all the time, and they are often the result of human behaviour.

Easy routes for attackers to compromise firms include social engineering, which can see employees unknowingly click on a link or download an attachment and deliver a payload into an organisation, with devastating results.

A technical control that can help against attacks is access control management, which manages who can access systems and enforces multifactor authentication. But tools such as these only work if they are used in addition to investing in security awareness and skills training.

In the past, security training focused on fear, uncertainty and doubt (FUD), but this doesn’t do anything to help affect cultural change in the long term. Instead, training needs to be based on something positive and sustainable.

A training programme needs to engage employees: If it is viewed as a tick-box exercise, people will quickly become disenfranchised with it. On the other hand, organisations that make training interesting will help equip people with the right digital skills to protect themselves, and the business.

Phishing tests can be useful, but when they are focused on catching out employees, people might become afraid of clicking links. This is of course unhelpful when they need to perform their day to day jobs.

So, instead of trying to catch people out, it’s better to think about how these exercises can help change behaviours. This can be done in a positive way: Look at reporting stats, rather than concentrating on who clicked the link. Instead of calling out those who failed the test, organisations should focus on who did report the phishing email and build competition boards that gamify and reward it.

The Human Cyber Index

This is the idea behind Pinsent Masons’ Human Cyber Index, which we built with the following challenge in mind: We know what the problem is, but the solution isn’t traditional security.

The Human Cyber Index is founded on the fact that building a security culture starts with speaking to your people.

But it’s important to realise that making training fun and useful requires non-traditional security spend. At Pinsent Masons, we are fans of gamification through prize draws and this needs to be part of the security budget.

Convincing your leadership team to invest in this way can be a challenge: While boards are starting to come around to spending on well-known security protections such as firewalls, persuading them to include gift vouchers as part of the budget may prove more difficult.

In order to help secure buy-in to training initiatives that expand the security budget, it helps if CISOs can demonstrate the company’s position in terms of measurement and analysis. This can then enable the business strategy.

The Human Cyber Index helps by measuring the productivity impact of investing in security in this way. The Index will demonstrate that implementing control X had an impact on Y and Z. This has a direct monetary impact, and organisations can then assess whether investing in a specific control is worth the cost.

The Human Cyber Index is independent so isn’t tied to one training provider, and the methodology provides data sets that show employees need training in A, B and C so as Security Professionals can buy smarter.

Organisations can still take steps to change their security culture now. This could include reaching out to employees to build a community and engage with them to assess their needs and build your strategy from here.

The psychology of security training

Each employee will have differing training needs depending on their job, as well as other factors. Front of house staff such as receptionists are faced daily with requests for access and actions on behalf of individuals – so they are expected to know what the person they work for needs.

At the same time, as part of their day job of supporting teams, they need to be able to send links and attachments to enable collaboration. For these employees, a focus on preventing phishing and social engineering is key.

Development, operations and service desks need these skills too, but they should also be thoroughly trained in secure coding and threat intelligence.

Psychology and diversity should also be considered in any employee training programme. Some people don’t train well in front of a screen; they might have found it challenging during the pandemic and prefer being in a training room alongside their colleagues.

Meanwhile, there are a mix of digital skills across the workforce and some employees will feel more confident with the technology, while others may be hesitant which can put them on a backwards footing.

Organisations need to consider the broader accessibility issues: What if the solution doesn’t scale for eyesight or colour? How are you going to train people with the visual content you procured – for example using audio – if English isn’t their first language? Neurodiverse groups may also require better mechanisms to engage.

Again, this is where the Human Cyber Index can help: At its heart is a questionnaire and once firms obtain the data from it, it’s statistically assured.

Training needs and the current work environment

It’s true that training is evolving, but board level awareness needs to develop alongside this. Senior leaders now need to go from being familiar with crisis response to understanding the nuances and how to protect themselves.

Senior management should be aware of security risk and what it means to the organisation. Sometimes in mature organisations, board members are not as technically capable and may fail to understand the technology and nuances of how devices work. In turn, they require an understanding of security controls and encryption, which can’t be learnt in a 60 minute call.

Taking this into account, education and awareness for the board needs to include the technology, how it works and the broader security ecosystem to be able to truly understand the cyber risks.

It’s now time to change business culture for the better, taking future cyber security threats into account. Things are already starting to shift: Top tier banks and insurance organisations are realising the benefits of understanding human psychology, and the advantages of positive gamification.

Building on this appetite for change is down to security professionals: Ask, what are you delivering for compliance, and what is for purpose? If you are only doing something to tick a box, you are doing it wrong.

There are technical tools and controls you can use, but this needs to be backed by regular training tailored to individual needs. It requires investment, but if you recognise your people can be the strongest line of defence, your organisation will immediately be more secure.

The first step is simple: Build an engagement channel with end users; have a champion or network; and bring together a cohort and talk to them about what they are worried about, and what interests them at home. This isn’t about work – it’s about what makes them tick.

Then you need to demonstrate you’ve listened and commit to action based on that input. If you don’t, your buy-in and credibility internally will dissipate and you will be back to square one.

We need to foster a positive and inclusive environment. People can be an organisation’s strongest link, if they are treated with respect and integrity.