We’re used to seeing headlines like those we woke up to on 13 May 2017. ‘Huge ransomware attack hits hospitals’. ‘Unprecedented global ransomware attack’. ‘Global cyber-crime hits a new high’. TV and media reporting has continued the hyperbole since the news was first reported.
It’s startling just how incredibly easy it was to target and succeed in compromising computer systems across so many different industries in over 150 countries - a simple system patch would have prevented the attack for many. It’s startling that we seemed unprepared and shocked by the attack. But most startlingly I would suggest is that, apart from a few people - those most directly affected by the attack - the story will quickly become old news. We will all move on and continue to behave in the ways we always have. There will be enquiries about the attack and some soul searching in boardrooms but to what degree will we really change our behaviours so that we’re more resilient?
Two important lessons are clear from the global attack over the last few days:
- Make sure your simple cyber hygiene is strong and that starts with patching, and;
- Make sure all your staff are aware, alert and engaged in what to do in response to a range of different cyber risks we all face at work and at home.
We have to appreciate that cyber-attacks are now part of our everyday life at home and at work but that doing some simple things well can help mitigate the risks. We also need to understand that we all have a specific role to play in protecting our organizations most precious information. And organizations need to understand that the information security awareness training they provide all their people needs to be effective, just like any other security control.
Many of us often feel out of control or resigned to do nothing in regards to our own online security. Now take these attitudes into the workplace and organizations are faced with a real dilemma. Sadly, cyber attackers often find it easier to communicate with, engage and influence the behaviours of our staff than we do. This needs to change. We need to adopt a new approach to learning.
While many forward-thinking organizations already recognize the need to provide information security training to all staff, how can this be delivered in a way that truly engages them to change behaviours and doesn’t just ‘tick the box’?
For me, there are five key lessons for effective Information Security training:
Stories spark emotions. An emotional response can help drive curiosity and action about subjects we previously thought dull and irrelevant. Stories help to explain the complex and the confusing in new, insightful ways. They can help make people care. The most successful marketing campaigns have a compelling story at the centre of them. Stories have the power to communicate consequences and relevance to audiences. We listen to compelling stories and we empathize - we imagine how this could be happening to us or to people and groups we know and care about. Stories can be shared, can inspire and involve. Help your people understand how best they can protect their own or family information at home and it becomes real and valuable.
Combine great storytelling with the delivery techniques we now have at our disposal - games, animations, video, simulations - and we can make a real difference to the way we change behaviours for the better.
People need to hear from their leaders. Information security is a business risk and leadership teams have a vital responsibility to show their commitment and dedication to leading the way in protecting what’s most precious and valuable to them. The goal is to be able to say “it’s the way we do things around here”. The active and continued involvement of leaders - being seen and heard - in their organizations’ information security training will be time well spent. Critically, leaders must also appreciate that they’re far from immune to attack themselves.
Keep it simple. Most of us would be defined as ‘average users of technology and in asking for our support and interest in information security from the ‘average user’ we need to talk in a language and provide guidance in a language that will be understood. For example, research in 2016 highlighted that 36% of UK adults said they could not confidently define what a phishing attack is. We therefore need to understand what our target audience (the ‘average user’) does and doesn’t know before deciding how we communicate most effectively with them.
We must design and deliver learning that our people can relate to. Using plain English to explain threats like phishing and providing simple, practical guidance is essential.
• Frequency, timing and measurement
Changing behaviours takes time. We need active, engaging online learning that adapts to changing threats delivered on a regular, consistent basis. We have found that refreshers, assessments and competition all work well in keeping our people engaged and interested. Diagnostics also helps to provide choice and options in developing targeted, relevant learning at the right time to the right people. This targeted, drip-drip approach can help prevent ‘security fatigue’ and encourage better decision making.
Organizations also need to measure success and improvements over time. Take phishing for example. Some organizations now integrate managing an ethical and controlled phishing attack on their staff with engaging learning to benchmark the number of people who would open a potentially damaging email before and after training.
• Culture and Incentives
Develop the right culture. This is one area where I believe we need a real focus. We need a culture from top to bottom that rewards ideas and learns positively from mistakes. I sometimes see working environments that do not encourage or reward people for ‘putting their hand up’ – indeed I’ve often seen those hands being slapped down if anyone admits to making a mistake or suggests an alternative way of doing things.
By adopting these key lessons, I see innovative and engaging Information Security training helping organizations to embed and sustain better behaviours with all their people. Our RESILIA™ Frontline awareness learning provides first-hand evidence of the power of on-line learning to embed a more resilient security culture.
The importance of Health and Safety at work is now widely understood and accepted to help protect organizations and their people. We now need to affect the same change in our approach to Information Security training. Otherwise too many more organizations will be forced to explain why they’ve been breached to the world’s media.
Visit axelos.com/resilia-infosec-conundrum to read more articles from Nick and to find out more.
© Nick Wilding. Nick is General Manager, Cyber Resilience at AXELOS Global Best Practice. He has been working at the sharp end of cyber security since 2003 and is a regular speaker on the subject internationally and on UK television and radio. Nick welcomes discussions with organizations about improving their employees’ cyber resilience behaviours.