How to make your cybersecurity training succeed

by Brett Henebery21 Jul 2017
In June, a global cyberattack crippled computer systems across multiple continents for the second time in less than a month.

The ransomware attack – called ‘GoldenEye’ – struck across the globe yesterday, taking down servers at Russian oil giant Rosneft and computers at multinational businesses, including the Australian offices of a global law firm.

This alarming incident put the spotlight not just on the state of cybersecurity awareness, but the kind of training that organisations are providing to ensure that the next time around, they are better prepared.

This week, a new report from the SANS Institute revealed that the lack of time dedicated to employee training and the lack of communication skills are key contributors to why cybersecurity awareness programs fail to meet their objectives.

Interestingly, the report also found that women are twice as likely as men to be dedicated to such programs.

According to the researchers, there are four areas in which organisations must focus on; human resource allocation, partnerships, hiring of dedicated professionals and fostering security ambassadors.

The report also pointed out that budget restraints were not cited. Instead, the biggest challenge is time as over 75% of security professionals spend just 25% of their time on awareness.

Furthermore, 30% said that the lack of communication and employee engagement are other hurdles, as while 80% of security awareness professionals have technical backgrounds, only 8% possess soft skills backgrounds, such as communications, training and marketing.

Ned Baltagi, managing director, Middle East & Africa at SANS, told that the behaviour of end-users, most commonly unintentionally malicious, are often the root-cause of data breaches.
“This is why SANS has worked to pinpoint the shortcomings of security awareness programs and provide enterprises with a clear outline for how they can overcome these,” he said.

“Organisations should strategically leverage their budgets to hire resources who will get their awareness programs off and running”.

Beltagi said they should also identify and empower awareness ambassadors- employees who are committed to security initiatives and push their colleagues to do the same.

“A cost-effective means to raise the entire organisation's security posture,” he said.

While Australia was relatively unscathed in the latest spate of cyberattacks, some cybersecurity experts caution that greater cybersecurity training is needed.

Nick FitzGerald, a senior research fellow at ESET – a global IT firm based in Slovakia, told L&D Professional that fortunately, there has been “explosive growth” in the general awareness of the poor state of cybersecurity.

However, he doesn’t think that the quality of most existing tertiary cybersecurity education is the source of the skills gap problem.

“The problem is that, at least until quite recently, there has not been much incentive to specialise in this field,” he said, adding that this is now changing.

“There is a great deal of news media and popular culture attention on cybersecurity issues and hopefully that will shape attitudes of more school students to realise that there are plenty of interesting jobs in this field”.

Related stories:
Can training prevent the next major cyberattack?
Cybersecurity training gets a $1.9m boost