The cybersecurity industry often talks of defense in depth and establishing resilience through multiple complementary layers of cybersecurity. This approach is usually centered on technological solutions and polices, with the workforce being seen as a cybersecurity liability rather than a potential advantage.
James Hadley, CEO, Immersive Labs.
However, with the right support, personnel can become a valuable cyber asset, capable of playing an active role in foiling attacks. Well-prepared staff with strong cyber capabilities are less likely to be stung by people-centric attacks such as social engineering and will be more likely to respond quickly and efficiently when a crisis rears its head.
Security strategies need to invest in this potential and treat their workforce as an asset by equipping all employees with the knowledge and skills they need to identify and respond to cyber threats. And just like any other form of business asset, there needs to be a meaningful process in place to measure the impact of this investment and make further strategic improvements.
The problem with bland, disconnected training
Most cyber attacks today begin by targeting users, with research finding that over 90 percent of data breaches involve phishing. Despite this, personnel are usually overlooked in cybersecurity strategies and the majority of investments go towards new security tools.
When staff do get a look-in, the result is likely to be a tick-box approach that revolves around a series of cookie-cutter training courses. For the most part, security training tends to be fairly uninspiring. In-person, classroom-style sessions can often feel more like an endurance test, while at-home online courses are tick-box exercises to be rapidly clicked through and forgotten.
More advanced “tabletop” style crisis exercises, usually reserved for key decision makers, can be more engaging, but still fall short of matching a genuine security incident and aren’t conducted regularly enough to be effective.
Measurement is essential
Whatever the format, benchmarking capabilities or measuring progress in any meaningful way is a challenge. Tests generally take a multiple-choice approach, which is more likely to assess the participant’s memory (or luck) than their ability to act on security knowledge and practices. Even the more elaborate tabletop exercises fail to capture the feeling of a genuine threat, so don’t truly reflect the participant’s performance in a true crisis.
Security training also tends to be very static, focusing on a particular threat at a specific moment in time. This is a poor fit with the dynamic and evolving nature of the cybersecurity landscape. Furthermore, most staff are only trained once or twice a year at most, and any knowledge they do absorb will be quickly rendered woefully out of date.
Without any meaningful measurement of the performance and impact of the training, it can never be much more than a case of going through the motions. It might look good on an audit or regulatory compliance report, but ultimately will do little to improve the business’s security standing.
This is far from ideal for any form of investment into staff skills but is particularly problematic when it comes to cyber threats. Knowledgeable and prepared staff can make all the difference in preventing an attempted attack from becoming a complete disaster.
A dangerous blind spot
Without an up-to-date and accurate view of their personnel’s security preparedness, organizations can have no real idea of their cyber risk exposure.
Where are the biggest potential vulnerabilities in the organization? Are there certain individuals, teams and departments that represent an elevated risk in the event of a security incident? Will the decision makers be able to keep their heads and act in the best interests of the company?
No leader worth their salt would be satisfied with a technical solution that cannot provide this basic data, but such unknowns are all too common when it comes to personal development.
A lack of baseline information also makes it near impossible to effectively improve cyber resilience and reduce risk exposure. While standard legacy training approaches can deliver results for more astute individuals, any improvements are likely to be tactical and have little overall impact.
For security courses to be more than a tick-box exercise, they need to be both an engaging and practical experience for the participants, and correctly reflect current threats to the organization. Finally, they also need to deliver accurate and actionable data. There are three main steps to achieving this.
Find the right exercise
The journey to developing the workforce into cyber assets calls for a step away from unengaging legacy courses and tests, and towards more realistic exercises that can accurately capture the feel of a genuine security emergency. These simulations should be bespoke and reflect the most serious threats, whether it’s a major ransomware outbreak shutting down production, or a malicious insider stealing classified documents.
It's also crucial for the simulation to include the entire organization. Threat actors will search for any possible chink in the armor to breach defenses, so every single employee has a role to play in keeping the business safe.
More advanced simulations can emulate the impact of the crisis and the decisions made, such as falling share prices, reputational damage, and regulatory fines. This will help keep both business leaders and their teams focused on the bigger picture.
Gather the evidence and benchmark
As simulations are completed, senior business and security decision makers can review the data on how everyone performed and map it back to the resulting risk exposure. These results should be put into context by being benchmarked against industry peers.
For this data to be meaningful, it needs to be granular enough that the actions of individual teams and workers can be measured. It may be that a particular area of the business poses a more significant threat due to poor decisions, or perhaps certain individuals demonstrate their value as knowledgeable and level-headed security heroes.
Equip for the future
It’s now time to put that data to work, so organizations can more effectively plan how to improve their resilience against real attacks.
Granular insights also ensure that each department, team, or individual can be equipped with the support and development best suited for them, rather than an ill-fitting blanket approach. If the HR department proved to be an easy target for phishing but the financial department were impervious, the training should reflect that.
Just like any other investment, cyber capability development across the entire workforce should be a continuous journey. With staff equipped to be cyber assets against ongoing risks, it’s time to start planning the next round of exercises for the next wave of threats.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
James Hadley, CEO, Immersive Labs.