By Amir Kanaan
Among the wide range of reasons that cause cybersecurity incidents, inappropriate use of IT resources by employees remains a challenge for businesses. In 2019, half (52% enterprise, 50% SMEs) of companies faced a data breach because of this, as revealed in a Kaspersky survey of IT decision makers. Quite surprisingly, companies experienced this almost as often as their devices being infected with malicious software.
This shows that businesses need to explain to their employees how to recognise ‘dangerous’ situations and ensure they know how to react appropriately. Security awareness training programmes are designed to teach important cybersecurity hygiene.
To make sure courses deliver the desired results, they should meet modern learners’ requirements and the current trends in corporate education. Numerous factors have contributed to the evolution of security awareness training, be it development of new technologies or changes in corporate culture. In this article, we describe five trends that determine what corporate cybersecurity education will look like.
#1 Training will include tips for going online in your spare time
Organisations have been long exploring the opportunities of remote working, and the Coronavirus (COVID-19) pandemic has helped to fasten this process. Some companies have decided to allow staff to work remotely even after the COVID-19 lockdown measures are over. Soon, many people will find their living room couch will become their common workplace, rather than an office desk and chair. However, this does blur the boundaries between work and personal life. For instance, users may not be as conscious about using work devices to enjoy personal activities and vice versa.
First of all, this change will be reflected in the training course agenda. It will become necessary for employees to be taught rules on how to behave securely in general, not just specifically at work. Also, security awareness courses should cover the use of personal devices and accounts for work purposes and explain how personal and business resources can be interconnected.
Additionally, this tendency can be applied to prompt employees to learn cybersecurity basics. Some companies use scaremongering to motivate employees to learn. For instance, they warn staff they will lose bonuses or will even be fired if they cause a data breach (in fact, 26% enterprises and 24% SMBs did so). Unfortunately, fear does not work as a long-term solution to effectively motivate people. It’s like throwing a person who can’t swim into the water – he or she may reach shore after struggling but it is highly unlikely they will then love swimming. Instead, a company can position a security awareness course as an opportunity to learn useful information that can be applied during employees’ spare time as well. For example, a person who has been told how to identify phishing attempts at work will be less likely to enter credit card details when they receive an email from fraudsters in their personal mailbox.
#2 Course duration and required cybersecurity skills will be regulated
Today, many governments and industry requirements make it necessary for organisations to have security awareness training in place. The Health Insurance Portability and Accountability Act (HIPAA) makes it an obligation for businesses to “implement a security awareness and training programme for all members of its workforce (including management)”. And according to GDPR, a data protection officer is responsible for “awareness-raising and training of staff involved in processing operations”. Nonetheless, most of the regulators today don’t enforce a specific course format or duration.
In practice, businesses do what they can to fulfill these requirements and often implement any training available to say they are compliant but with little substance. The statistics above showed that this approach doesn’t bring the required results. That’s why we think that the regulations in industries, where cyberattacks are more critical for business, will become more detailed and stricter. For example, there may be requirements on the minimum time spent on security training or formal competence matrixes for non-security specialists. We expect that in this case, companies will have to reconsider their approach to how training is carried out. And for employees, the perception will change from the course being a mere formality to a beneficial and valued way to gain the skills required for the job market.
#3 New cyberattack scenarios are coming, so courses will be updated
Cybercriminals always develop more sophisticated ways to conduct their attacks. Here is an extraordinary example: last year, researchers revealed that fraudsters impersonated a CEO of a German company by mimicking their voice deepfake and forced an employee to transfer €220,000. Now, security awareness training advises employees who have received a suspicious letter to call and ask the addressee if they really requested this. But unfortunately, this advice will not be of help in this case.
We cannot say for sure if this sort of attack will be common, but this case demonstrates that security awareness training agendas should be reviewed regularly. So, future basic cybersecurity courses will include topics and recommendations that we cannot even foresee now.
But even now, effective training should not only make people remember a number of certain rules, but also develop vigilance and pattern recognition skills. As a result, when employees face a new threat, they will be able to recognise that something is wrong and apply the rule to this specific situation.
#4 Corporate education will resemble massive open online courses
If you have taken an online course during the COVID-19 lockdown, you are not alone – many online learning platforms saw an increase in registrations. And learning was considered as an activity done in people’s free time before the quarantine. Even in 2016, 74% of adults in the USA participated in at least one educational activity because it was of personal interest to them. This illustrates the tendency that people want to engage with life-long learning and now continue to gain new knowledge after they have graduated from school or university.
How will it affect corporate learning and development and security awareness training in particular? People who regularly attend courses and see the different approaches to education will likely have more specific requirements for corporate training. If online Spanish classes can be viewed from a mobile device whenever the user prefers, or online course on Artificial Intelligence or biostatistics can explain difficult matters in simple words, why shouldn’t corporate training be the same? So, to fulfil these requirements, security awareness courses will change both in terms of content and form of delivery.
#5 Security awareness training will be more personalised
The amount of information produced and consumed by people is growing – no doubt you are accustomed to this message. Maybe, you feel irritated that an article wastes your time as it repeats facts you already know. And employees who are taught information that’s already familiar to them – while there are plenty of other things they have to learn and remember – may feel the same.
Therefore, security awareness training will become more tailored. These courses will take into account not just the skills and rules that are relevant and new for a role – good training should automatically be adjusted to a particular employee’s level of knowledge, pace of learning and their individual learning preferences. This will ensure employees are not burdened with irrelevant information and can instead spend more time focusing on the skills they do not already have.
We are regularly communicating with our customers and see that these trends are already transforming the way cybersecurity education is organised within companies. This is a long-term process and changes in methodology don’t happen overnight. Therefore, we recommend learning and development specialists to think about what they can amend even now. For example, it’s definitely worth stopping practices where employees are left scared about possible penalties in case they don’t uptake training programmes on offer to them, and highlight the possible benefits instead. Or it’s high time recall when the content of the lecture was last updated. These small steps will foster cybersecurity corporate culture with the help of effective security awareness training in the future.
(Amir Kanaan is the MD for the Middle East, Turkey and Africa -META – region at Kaspersky).