Security awareness should go beyond compliance


Companies must go beyond security awareness and training (SA&T) efforts to find ways to reinforce security concepts at the right time, security experts said this week.

While security awareness and training (SA&T) programs are an effective first step in building cybersecurity awareness, too often the focus is on compliance and less on improving security, to the point that ticking the required boxes is all that matters, says Russell Spitler, co-founder and CEO of cybersecurity startup Nudge Security. Security training courses are less than scintillating — employees generally don’t like mandatory courses — and active phishing exercises often feel more like “gotcha” attempts, he says.

“These are approaches that establish an artificial antagonism between the organization and the employees,” he says. “It’s not supposed to be like that, but when the people leading the exercise say, ‘Ah, ha! You’ve fallen for the trap!’ … It feels like such an unproductive action.”

Amid Cybersecurity Awareness Month, businesses are increasingly realizing that they need more than security awareness and training (SA&T) and compliance to strengthen their workforce. against the cybersecurity threats they currently face. The change in perception follows the exodus of workers from their offices to work-from-home arrangements, becoming the first line of defense against attackers.

Improving Culture, Not Just Classes

According to Forrester Research, organizations need to focus on awareness, behavior, and culture — the ABCs of reducing human risk — not just education and training. A focus on quantifying human risk and determining that risk based on actual user behavior leads to better results, the research firm said in its report, The Forrester Wave: Security Awareness and Training Solutions, Q1 2022.

“With employees operating remotely or physically, security awareness now knows no boundaries – so instilling a culture of ‘security everywhere’ is paramount,” Forrester analysts wrote. “All of this is causing much-needed disruption in a market that has long been stagnant. Fortunately, many vendors have risen to the challenge, creating solutions that no longer work just to train people just for fun.”

Nudge Security, for example, is not primarily a security awareness training tool, but a method of gaining visibility into software-as-a-service usage and automating security for those services. . The company gives companies visibility into the actions of their employees by tracking emails indicating when users signed up for a service.

However, the service also automatically sends users reminders to reinforce good cybersecurity behavior, using context-specific interactions – or “nudges” – that iteratively improve the user’s cybersecurity know-how. security.

“The point of these relatively simple interactions is that the possibility of compliance is much higher when you engage these employees on your team and extend that trust,” he says. “We don’t treat employees as an extension of the computer. We assume the employee is going to do their job, and then present them with more context for the situation.”

‘Micro-training’ to change behavior

Nudge Security is not alone. As of November 2021, the most established player in the security awareness and training (SA&T) industry, KnowBe4, acquired SecurityAdvisor, a real-time behavioral analytics and micro-learning provider. The company aims to combine the two approaches to create a “human detection and response” service that delivers training at the right time, says Erich Kron, a security awareness advocate at KnowBe4.

“I see a future where if an employee responds to a phishing email and includes PII [personally identifiable information] or other sensitive information, a favorite tactic of malicious actors, the Data Loss Prevention (DLP) control not only prevents information from leaving the organization, but also triggers a short information protection training session and this type of scam,” he says “In these situations, the person is likely to be grateful that the MOT prevented something bad from happening, but will also be motivated to learn not to make the mistake again .”

Another company, CybSafe, has also focused on behavior modification, using data-driven metrics and behavioral psychology to create a platform that measures specific actions and provides context-specific feedback.

“Awareness is good to have, sure, but it doesn’t change behavior,” the company said in a blog post. “Yet organizations continue to assign their employees more traditional security awareness training. Yes, we’re puzzled as well.”

Manage and reduce risk

Companies involved in security awareness and training need to find better ways to not only educate employees about cybersecurity, but also measurable ways to reduce risk. Security groups should determine the best metrics to track human risk and find better ways to reduce that risk, Forrester Research said in its report.

“Innovation is important for [businesses] because the way the industry has long approached SA&T has only produced frustration for employees, eroding the safety brand and goodwill,” the analysts said. “You need a different way to manage human risk, not better ways to train people.


Comments are closed.