The eight main causes of the failure of Cyber Security Awareness training programmes illustrated by Gianni Baroni, CEO of Cyber Guru, at Cybertech Europe
According to many experts, our era is a kind of “golden age” for European technology. In short, a real exploit, despite the various health and geopolitical crises. Or perhaps precisely because of them. Commercial, industrial, governmental and academic sectors are all involved in the new challenge of digital transformation. But new opportunities always bring with them new challenges: a worldwide increase in cyber attacks, including those to the Supply Chain, the payment of ransoms due to Ramsonware attacks, the numerous phishing activities and attempts to violate privacy.
This is what emerged from the European Cybertech event, the main networking platform that conducts events in the industrial field around the world and that was held over a very intense two days on 10 and 11 May in Rome. The event brought together the main players in the sector, as well as personalities from the worlds of politics and economics.
As one of these, Cyber Guru could not miss it: one of the main European points of reference on Cyber Security Awareness, which so far has trained about 250,000 users on cyber risks related to the digital world and carried out over two million phishing simulations.
Gianni Baroni, CEO of Cyber Guru, was among the protagonists of the events of 11 May with a speech in which he illustrated the 8 main causes of the failure of Cyber Security Awareness projects and what must be done in order not to fall into easy traps.
1. Lack of support from the CEO
Simply put, it needs to be clear to all employees that the CEO is the first to believe that transforming human behaviours is a key element in securing the company against cyber attacks. The possible lack of this support is manifested both in terms of communication: not conveying to employees the centrality of the issue of awareness of cyber risks and the importance of prevention, and in terms of the lack of follow-up. In fact, it is important that the KPIs (Key Performance Indicators), i.e. the measurements that a company uses to evaluate its performance over time in terms of employee awareness, are never neglected and are discussed during staff meetings. If this does not happen, it can be a problem, because the company lacks the right awareness of how much Cyber Security Awareness is a non-negligible and top-priority issue today.
2. Poor user engagement
Training courses with predictable and uninvolving content have the effect of boring the employee and fail miserably in their purpose. For this reason, it is essential that Cyber Security Awareness platforms are: easy to use, use innovative technologies and training methodologies, rely on accurate localisation and engaging gamification and, finally, present topics that are relevant to users. In summary, they should be effective and motivating.
3. Short-term training courses
Changing end-user behaviour is a complex pathway that takes time to be metabolised and adopted. Training on cyber risks, therefore, cannot be rapid and short-lived. In addition, as threats and attack techniques are increasingly refined and constantly evolving, it is necessary to have constantly updated training that follows the evolution of cyber attacks. Only by knowing the enemy thoroughly and anticipating their possible moves can you be sure to defeat them.
4. The absence of a concrete analysis of performance
One thing is certain: when you take a training course, you cannot improve if you do not constantly test what you have learned. Continuous monitoring of user engagement and behavioural changes during the learning pathway is a key element of training. If this aspect is lacking or is not monitored with the attention it deserves, all training can be compromised.
5. Relying on “white phishing”
That is, on the same simulation for everyone. Sending fake phishing emails to employees and seeing if they fall into the trap is too vague a training mode, compared to the complexity of the cyber world. Or at least it can’t be considered complete. To increase awareness, it is necessary to proceed with emails of varying complexity, but which are also different for different users. Anti-phishing training that is not the same for everyone, but personalised for each employee.
6. Relying on questionnaire-based Risk Assessment activities
To assess with a minimum level of accuracy the level of knowledge of the cyber risks of an employee through a questionnaire, it is necessary to prepare a set of 20–30 questions. We all know very well that questionnaires of this length are certainly not appreciated by end-users who, therefore, very often, fill them out carelessly. So the results of these surveys are largely unreliable. The decisive aspect that makes the difference in a training path is the readiness for practical reaction. The ability to respond promptly to a cyber attack is not measured by questions, but by measuring reactions to the most likely stimuli. A training and measurement platform is the right answer to this need.
7. Thinking: “My employees are different”
Cyber Guru’s experience, based on the training paths of hundreds of thousands of employees, leads to the conclusion that the vast majority of end users, regardless of the organisation they work for and their duties, make the same basic mistakes. And it is on these mistakes that we must work. Training, therefore, should not be extremely personalised, which would make it particularly costly. Its effectiveness depends above all on its accuracy, on its ability to use different tools, to involve users also from the point of view of emotional reactions and, above all, on it being up-to-date and carried out on an ongoing basis.
8. Having an understaffed team
Security teams are always overworked. For this reason, training is very often given a lower priority than other critical IT activities. Before undertaking a Cyber Security Awareness training course, it is therefore essential to clearly understand the commitment necessary to manage it. For this reason, it is important to choose solutions that minimise management costs and maximise the effectiveness of training results.