March 30, 2018 By Mike Elgan 3 min read

The conventional wisdom about security training needs an update — and for reasons that may surprise you.

Cyberattacks are rising in frequency, severity and the damage they cause. Since the weakest link in any networked chain is the user, employee training is a vital part of a comprehensive program that also requires world-class software and savvy policy.

You know all that, but there are other, less obvious reasons to invest in better training that even the most grizzled IT security veteran may not fully appreciate.

Surge of Insider Attacks Suggests Need for Better Security Education

The 2017 IBM X-Force Threat Intelligence Index report showed that a shocking number of incidents come from insiders, employees and other trusted people. Seventy-one percent of attacks against healthcare companies fall into this category, while 58 percent of incidents in financial services, the most-attacked sector, originate from insiders.

The majority of these insiders are inadvertent actors — mostly employees who were tricked into initiating the attacks. These numbers expose the inadequacy of today’s normal training programs. They’re not frequent, memorable or thorough enough. In other words, they’re not working.

The bottom line is that training has not kept up with the evolution of cyberthreats or their remedies. That’s why it’s more important than ever to implement the best possible tools to protect sensitive data. But decision-makers must remember that even the best software cannot stop all threats.

For example, any employee with access to any phone anywhere at any time is potentially vulnerable to social engineering. The reality of bring-your-own-device (BYOD) environments is that employees may be connecting to company resources at all hours and exposing their devices to threats in arbitrary locations and over insecure networks. That’s why great software and solid policies must be accompanied by more frequent and better training.

Five Reasons Why Improved Training Is Vital to Data Security

Of course, training exists to educate employees about threats. Don’t click on that suspicious email link. Don’t insert that thumb drive you found in the parking lot. Don’t keep your password on a note card stuck to your monitor.

But security training should be about far more than just teaching employees to avoid common errors. Below are five surprising reasons why training is vital.

1. Morale

Accelerating threats affect employees most directly by causing unwanted changes in how they work. Security rules implemented without follow-up can feel like an imposed burden. Good training makes employees feel like partners in these policy changes.

2. Speed to Remedy

Better training enables employees to more effectively spot and report suspicious activity. Confusion causes paralysis, but education promotes action. That means faster average resolution times and better institutional learning.

3. Self-Policing

Most threats come from the inside, not the outside. When employees know where threats come from, they’re in a better position help each other avoid unwitting participation in a breach — and to report deliberate participation.

4. Compliance

Rising security threats have ushered in a new era of regulation. That means decisions around security and privacy come with more regulatory and legal ramifications than ever before. It also makes everything more complicated. There’s simply more to learn now, and that demands more and better training. The burden of compliance can also change institutional thinking and lead to a harmful compliance-first mindset. Training helps employees comply with regulations without taking the focus off actual, practical security.

5. Informed Purchase Decision-Making

The most important internal group to train is also the hardest: C-level executives, managers and team leaders. One of the biggest institutional problems around security is the failure to invest in the best solutions. This is often a direct result top decision-makers’ lack of knowledge. Trainings that expose leaders to the risks of today’s increasingly damaging breaches — and the rewards of being ready for them — can be very effective.

It’s Time to Get Creative With Security Training

Cybercrime is being industrialized, automated and optimized using big data analytics and artificial intelligence (AI). Much of that AI is applied to the social engineering of employees. Annual go-through-the-motions training won’t cut it anymore. It’s time to be proactive and get creative.

Don’t think of training as something that happens only at scheduled sessions. It must be constant and continuous. For example, security leaders can create fake malware or phishing attacks. When employees click or open them, serve up a quick training on why they just made a huge error and what to do if this happens again. Security teams might also consider publishing a newsletter or internal podcast to raise security awareness throughout the organization.

As threats evolve and grow more complex and damaging, it’s imperative to rethink how the organization as a whole learns and grows. By educating employees about how cyberthreats affect them, their data and their jobs, IT leaders can make security personal and steer the organizational culture toward security consciousness.

Listen to the podcast series: Take back control of your cybersecurity now

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today