How do you make cyber training stick?

As reported by ICAEW

If cyber security training is to be relevant and effective, business owners and organisation leaders must ensure that it is specifically tailored to how their companies work and the risks they face on any given day.

A ‘one size fits all’ approach to cyber training no longer cuts it, according to Karen Morrall ACA, CEO of Lockdown Cyber Security, which provides cyber services to firms.

“Any training needs to be relevant and pitched at the right level with the right frequency to its audience, based on job role and perceived level of risk,” she says. “Generic cyber security training is no longer enough.”

Effective training needs to embed cyber awareness throughout an organisation. That means constant, small cyber security updates as part of its day-to-day activities. Annual or one-off training will not provide the level of protection that organisations need.

The cyber security problem statement

The first step towards putting in place effective cyber training is to understand what cyber security truly means to your organisation. Come up with a cyber security ‘problem statement’; how much cyber risk are you holding and where? Do you have safeguards in place to defend yourselves? Are they enough? “If you don’t understand the problem, you won’t choose the right solution, including the right training.”

Approach training holistically, taking on board all cyber security considerations, including working in different environments such as the home or at client premises.

Build a security aware culture

Training is no good if the knowledge is not retained or applied. Beyond training, employees need to be vigilant, says Morrall. “They should be allowed time to be curious and question when requests or things look odd or suspicious, know what escalation processes must be followed and are highly prepared for any attacks.”

Cyber criminals are increasingly using AI to enhance and weaponise attacks, Morrall points out, which is why constant security awareness is necessary. “One recent innovation on that front is polymorphic malware, which shifts and changes its digital DNA to evade detection. AI phishing campaigns are so much more advanced, less obvious to spot and can be done on much larger scales, AI poses real advantages but also bring real risks.”

Tailor training to your specific threats

If you don’t understand the risk of cyber threats that are likely to affect you specifically, any training will be a tick-box exercise, says Morrall. “All too often, we see a generalised approach to security training, rather than efforts to drill down into questions such as:

• What is the cyber risk level in our sector?

• What does the threat landscape we’re working in look like?

• How could the way our business is structured invite malicious approaches?

• What sort of training is required for different roles?”

  
  

Hackers typically attack accounts teams through methods such as phishing, invoice mandate fraud, business email compromise and social engineering, Morrall says. They could approach CEOs and boards, who are by no means immune to cyber threats, often individually targeted by spear phishing. “We all must be trained, as we are all targets.”

Whatever training solution or programme you do decide on has to be right for your firm, she says. Teams will need regular updates to their training, particularly as new information about threats becomes apparent.

People make the difference

People are often the route to get into an organisation’s systems. But equally, they are an essential line of defence when it comes to cyber attacks. For that reason and others, Morralls stresses that training must function as a multi layered ‘stack’ that complements and weaves through the business’s overall tech and process stack.

Training must also be dynamic and fluid enough to address emerging threats, which means constant attention and updates. “The objective is for each and every employee to view their role and business area through a cyber lens, so they will be effective foot soldiers against attacks.”

To ensure the effectiveness of your people in identifying and reporting cyber threats, your organisation needs to cultivate an open attitude towards cyber incidents, giving employees the confidence that they can report an incident – even if they have made a mistake – without any fear of recrimination. Training needs to outline what actions staff need to take in the event of an attack, emphasising that reporting to security teams is a positive move.

Practice incident responses

Having an incident response plan is essential, and employees should regularly practice through simulation and incident response training, says Morrall. This means training in layers: cyber posture and maturity training, and cyber resilience training.

Morrall notes that one of the biggest decisions a company could face during an incident is how to answer a ransom demand, linked to a piece of ransomware. Training should encourage staff to answer the following questions:

• Are we going to pay the ransom?

• What is our ethical and legal standpoint?

• If the hackers are demanding crypto currency, how will we source it?

• Should we have a negotiator in place?

• Does our insurance cover this?

  
  

Address supply chain risk

Alongside incident response drills, it is vital for companies to engage in training around supply chain cyber risks. That means carrying out thorough supply chain assurance and due diligence to vet suppliers before you onboard them, ongoing monitoring of material changes to their cyber posture ongoing and informing staff about findings.

“You’re only as good as your weakest link,” Morrall says. “Supply chain complexity is a major reason why you shouldn’t isolate training from the nature of your business. You must look at where criminals might get in, what sorts of attack types they could use, how to layer security to set up appropriate defences – and how you should respond if a fire does break out.”

When you’re in the middle of an incident, every second counts; the number of decisions you will need to make is overwhelming, Morrall explains. So firms and businesses should ensure that key decisions are made before the fire starts raging. 

“That way, when your files are on death row, you’re losing systems access and are under huge pressure, you make the right, informed choices because you’ve got a plan, you’ve agreed your position internally, and you’ve practised it over and over again.”