Annual cybersecurity training isn’t working, so what’s the alternative?

Padlock against circuit board/cybersecurity background
(Image credit: Future)

Cybersecurity and compliance training programs are now big business. According to Cybersecurity Ventures, the security awareness training market hit $5.6 billion in 2023 and is expected to surpass $10 billion in the next four years. This market boom is no surprise: cyber threats are rampant and large-scale attacks continue making headlines, most recently hitting the British Library, just to name a UK example, and disrupting their ability to function. All of this proves that every organization, no matter its size, is at risk of a breach.

Social engineering techniques, where an attacker targets the people who have access to systems (rather than the systems themselves) and manipulates them into handing over control, were the most popular malicious tactics in 2023. Businesses are therefore correct to recognize that people are a key vulnerability.

Annual cybersecurity awareness training is a regular feature on the calendar for most organizations in an attempt to ensure that every person within every department develops their cyber awareness skills, and is able to spot threats and respond accordingly before they become a major issue. In the face of fast-evolving security threats, this training is often outdated and can take months or even years later to bring that education to help people recognize the tactics used.

Neil Thacker

Chief Information Security Officer EMEA, Netskope.

Should training come around quicker than every year?

Ask any security leader and they wouldn't be hard pressed to admit that employees find annual cybersecurity training time-consuming and uninspiring. Often viewed as a distraction for an employee, many will click through, skim read, watch videos at double-speed and pursue whatever shortcuts they can find to reach the completion certificate, check the box and carry on with their working day.

What’s more, the often limited interactivity of each annual training course fails to capture and maintain employees' attention. Retention rates plummet without active engagement, and many training schemes lack any form of connecting the employee to real-world scenarios that could occur in their specific job function.

Even for those outliers who find annual training engaging and insightful, there is still little evidence it truly educates individuals or leads to positive behavior changes. As a result, they serve as little more than compliance checkboxes, as opposed to being a proactive measure to build a culture of vigilance and defend against threats. Ultimately, it’s not an efficient use of both time and resources, and cyber attacks continue their steady momentum.

It’s worth also noting that malicious actors specifically build their campaigns in a way that even the best trained employee forgets their general cybersecurity logic. This includes preying on emotional - rather than logical - behavior, and harnessing a sense of urgency to specifically guide the victim out of their logical and trained approach.

So, how do we go beyond education? Organizations everywhere need behavioral intervention that helps to point people back toward logical thinking before they take big cyber risks.

Nudging toward greater cyber hygiene

Small, regular and human-centric intervention is an ideal route for effective long-term behavioral shifts. An example of this is nudge theory - a general set of principles aimed to guide human behavior down a more desirable path. It’s a well-established concept that has been hugely successful in the past, steering people toward healthier food choices and pro-environmental behavior, and requires only small changes in decision making at crucial moments when they’re moving through (often automatic) behaviors. Applying this to the world of cybersecurity, therefore, feels like a no brainer.

In the same way that radar speed signs show your current speed - giving you a second to think and adapt your behavior - we should have signals at work letting us know when we’re about to participate in risky cyber behavior and encourage us to slow down and think.

This human-centric route of prevention can be highly effective, and is a tool that should be more widely known and accessible for enterprises. Real time user coaching, for example, harnesses AI detection to instantly flag a high risk behavior to the individual as it happens, and propose alternative actions for the employee.

This is particularly important in the age of Generative AI, where third party AI tools are freely available across many enterprises, and platforms such as ChatGPT and Google Bard are seen as the go-to assistant for many admin tasks. The risk here is that many employees are uploading sensitive data to these platforms (from source code to personally identifiable information) and significantly increasing the risk of a data loss.

In most cases, employees accessing these services are unaware of the risk and are trying to be productive with tools they are familiar with or have stumbled across. Rather than blocking this activity outright, potentially leading to a disgruntled employee who works harder to get around the policy, just-in-time employee coaching provides an opportunity to explain the risk in the moment as it arises - crafted to fit company culture and tone of voice, as well as policy - and recommend safer ways to achieve the same outcome.

Continuous education

This form of continuous education and reinforcement can provide for employees what annual training lacks: an opportunity to contextualize information and prevent it from fading quickly in memory. What’s more, this practical application of consistent reminders in an employee's everyday working life is the essential ingredient to fully understand and harness greater cyber hygiene.

By coaching employees in real-time to become better cyber citizens and make safer decisions, businesses can prevent cyber incidents the moment the threat occurs, and build genuine learning opportunities into employees’ daily working lives.

Rather than viewing humans as a weak link in our security posture, we should approach them as our last line of defense between an enterprise and the cyber threat landscape. It’s important that we recognize that, and train people in the way that is going to be most effective and empowering.

We've listed the best cloud antivirus.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Neil Thacker

Neil Thacker, Chief Information Security Officer EMEA, Netskope.