Breaking the Norm of Cyber Security Training

Millions of Ringgit are spent on security awareness training by companies each year. Organizations care about upskilling their employees and keeping their organizations safe from cyber-attacks. But with so much effort devoted to this, the real question becomes evident:
Did anyone really learn?

One of the best examples ever of the limitations of training is West Point’s 2004 phishing experiment called “Carronade.” Cadets were sent phishing emails as a test. The results showed that even after undergoing four hours of IT security training, 90 percent of the cadets still clicked on the embedded link.

This proves that those long hours spent doing conventional classroom style training does not necessarily work. Despite learning the skills and ways to identify the red flags theoretically, participants were still not doing enough to safeguard their organization and themselves.

While theoretical learning provides the underpinning knowledge needed, it’s vital to also acquire the practical knowledge and techniques of cyber- security awareness which can be applied to the day-to-day role. Put simply, there are some things that only can be learned through actual experience.

To ensure the success of a security awareness training, users need to be made to understand the nature of cyber-attacks besides providing effective training and constant testing which will immunise users to this type of attack.

Understanding the motion of attack is the first step in mounting a better defence. Right now, the easiest way to get to users is through social engineering as the current technology is not able to halt this type of attack, not even with advanced IT security tools. From the aspect of social engineering, planning a phishing attack is the crucial first step. This is where the victim is lured by an enticing but dodgy attachment or an invite to visit a malicious website.

Phishing will not work unless the first step convinces you to take an action. So instead of having users sit through four long hours of lecture, isn’t it better to have them learn practically by sending each of them a simulated phishing email which opens up to an educational landing page upon clicking on the malicious link?

The typical annual IT security trainings provided year on year is not exactly memorable nor effective. And we do understand the sacrifices it takes to provide these trainings to users. It costs time and money and to top it off, has to be done once yearly if not twice or more. But that is the price of preserving the security of an organisation. Otherwise someday, on a day just like today, your users might get a phishing email. One uninformed users will click on a link enticing enough to the eye exposing sensitive data to the clutches of cybercriminals and bringing harm to your organisation.

The simplest solution to curb this is through a series of simulated phishing email. This simple method is able to not only keep costs at minimum, but also requires less effort to have at regular intervals as a refresher activity to ensure users stay constantly vigilant and alert.

Since early 2015 phishing simulation campaign has become an increasingly popular way for employers to train their users because not only are they able to provide practical training to their users but they are also able to develop a safe cyber culture. Phishing is not a new problem, but statistics continue to prove that people remain easy prey. Why don’t you give it a try?