Cybersecurity and compliance training programs are now big business. According to Cybersecurity Ventures, the security awareness training market reached $5.6 billion in 2023 and is expected to exceed $10 billion in the next four years. This market boom is no surprise: cyber threats are widespread and large-scale attacks continue to make headlines, most recently the British Library, to name just one British example, disrupting their ability to function. All this proves that every organization, regardless of size, is at risk of a breach.
Social engineering techniques, where an attacker targets the people who have access to systems (rather than the systems themselves) and manipulates them to transfer control, were the most popular malicious tactics in 2023. Therefore, companies are right to they recognize that people play a key role. vulnerability.
Annual cybersecurity awareness training is a regular fixture on the agenda for most organizations, in an effort to ensure that everyone within every department develops their cyber awareness skills and is able to spot threats and respond accordingly respond before they become a major problem. In light of rapidly evolving security threats, this training is often outdated and can take months or even years to help people recognize the tactics used.
Chief Information Security Officer EMEA, Netskope.
Should the training take place sooner than every year?
Ask any security leader and he or she will have no trouble admitting that employees find annual cybersecurity training time-consuming and uninspiring. Often seen as a distraction for an employee, many will click through, skim read, watch double-speed videos and follow all the shortcuts they can find to reach the certificate of completion, check the box and continue with their workday.
Moreover, the often limited interactivity of each annual training fails to attract and maintain the attention of employees. Without active involvement, retention rates decline and many training programs lack any form of connection between the employee and real-world scenarios that might arise in his or her specific role.
Even for those outliers who find the annual training engaging and insightful, there is still little evidence that this training actually educates individuals or leads to positive behavioral changes. As a result, they serve as little more than a compliance checkbox, rather than a proactive measure to build a culture of vigilance and defend against threats. Ultimately, it is not an efficient use of either time or resources, and cyber attacks continue their steady momentum.
It’s also worth noting that malicious actors specifically design their campaigns in such a way that even the most trained employee forgets their general cybersecurity logic. This includes preying on emotional – rather than logical – behavior, and using a sense of urgency to specifically divert the victim from their logical and trained approach.
How do we go beyond education? Organizations around the world need behavioral interventions that help people think logically again before taking major cyber risks.
A push towards more cyber hygiene
Small, regular and people-oriented interventions are an ideal route for effective long-term behavioral changes. An example of this is nudge theory: a general set of principles aimed at guiding human behavior onto a more desirable path. It’s a proven concept that has been hugely successful in the past, steering people toward healthier food choices and environmentally friendly behavior, and requires only small changes in decision-making at crucial moments when they move through (often automatic) behavior. It therefore seems like a no-brainer to apply this to the world of cybersecurity.
In the same way that radar speed signs display your current speed – giving you a moment to think and adjust your behavior – we should have signals at work that let us know when we are about to engage risky cyber behavior and encourage us to slow down. and think.
This people-oriented prevention route can be very effective and is an instrument that should be more widely known and accessible to companies. For example, real-time user coaching uses AI detection to immediately identify high-risk behaviors for the individual as they occur and suggest alternative actions for the employee.
This is especially important in the age of generative AI, where third-party AI tools are available for free in many companies, and platforms like ChatGPT and Google Bard are seen as the go-to assistant for many management tasks. The risk here is that many employees upload sensitive data to these platforms (from source code to personally identifiable information) which significantly increases the risk of data loss.
In most cases, employees who access these services are unaware of the risk and try to be productive using tools they are familiar with or have encountered. Rather than blocking this activity outright, which could potentially lead to a disgruntled employee who works harder to circumvent the policy, just-in-time employee coaching provides the opportunity to explain the risk as it occurs – tailored to the corporate culture and tone. of voice, but also of policy – and recommending safer ways to achieve the same result.
Continuing education
This form of continuing education and reinforcement can provide employees with what annual training lacks: an opportunity to contextualize information and keep it from quickly fading into memory. Furthermore, this practical application of consistent reminders into an employee’s daily work life is the essential ingredient to fully understand and leverage greater cyber hygiene.
By coaching employees in real time to become better cyber citizens and make more secure decisions, companies can prevent cyber incidents as soon as the threat arises and build real learning opportunities into employees’ daily work lives.
Instead of seeing people as a weak link in our security posture, we should approach them as our last line of defense between an enterprise and the cyber threat landscape. It is important that we recognize this and train people in the way that is most effective and empowering.
We have listed the best cloud antivirus.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro