The news are full about stories about cyber attacks causing problems for businesses, schools and municipalities. Is the answer to this more corporate training? Not necessarily. We have different roles in the organisations we serve. This also means that the way we are involved in cybersecurity, from reducing the chance of getting hacked, to handling a data breach when it has happened, varies based on what roles we have. Why then, do we provide the same cybersecurity training to everyone? We can do better. We can start by asking people a simple question; “What do you need to know about cybersecuriy?”
What do you need to know about cybersecurity in your role?
There are many different roles in a large organisation but let’s start with looking at four common roles we can play.
- The leader
- The finance and accounting employee
- The IT professional
- The IT user
Leaders have a number of jobs they need to get done when it comes to cybersecurity. First of all, they need to know the major risks to the company from cyberattacks, so that they can budget for it by making reasonable trade-offs with other resource needs. This is a very difficult task. Another job they have is to report to the company owners, or to the board, what they are achieving with the money they spend on security. This means they also need to have a way to measure if the cybersecurity investments work; we need reasonable key performance indicators. Finally, results don’t come from spending money alone, and good leaders know this. They need to make the people in their organisation care about security in order for processes and technology investments to pay off. Does the typical security awareness training help leaders get any of these jobs done? No, and that is why we need to do things differently.
The finance and accounting employee has other priorities than the leader. Because they often control payments in the organisation, they are frequently targeted by cyber criminals. The primary job the finance employee needs to get done when it comes to cybersecurity is to ensure that payments go to the right recipient. Many cyber criminals make money simply by sending invoices to companies, pretending to be from a well-known supplier. Oter common attacks involve credit card fraud and breaking into a suppliers invoicing system to change the account number. To be successful in only paying out money to the right recipients, the finance team needs to know signs of common tactics used by criminals to commit fraud. They also need to know how to create procedures that make fraud more difficult, and what to do when they believe they have discovered an attempt at defrauding the company, whether successful or not. This may not be what people think of when we ask them “what do you need to know about cybersecurity?”, but by connecting practices to real challenges at work, we see that cybersecurity training can be well-aligned with the job to be done.
A lot of what they need is already contained in social engineering awareness training but without the right context it can be hard to connect the dots. When we focus on the job to be done, training turns into practices that help lower the risk of substantial losses.
The IT professional‘s job to be done when it comes to security is balancing user experience and security. If people think the tools the IT department provides them with are difficult or frustrating to use, they will likely find other ways to get their jobs done by using personal cloud accounts. This is very dangerous because the company then knows nothing about the security of these products, or even where the company’s digital assets are stored. A security program with very strict rules can create a system that is unusable in practice, causing much worse security than a somewhat more lax system with better usability. Obviously, IT professionals need much more technical and in-depth training on security than most other roles in the business but one of the most important aspects is how to balance usability and security. We think a major step forward for IT pro’s is better training in how to understand business risks and human factors in the organisation.
The IT User is all of us. This is where the traditional awareness training comes in, and can be very useful when done right. The IT user has a job to do, and the security aspect of this job to be done is usually ensuring that that employee can continue to do that job. This means that the systems supporting that mission must work. The IT user must then learn what to do to make it more difficult for hackers to succeed in performing attacks on the company. This means that we all should contribute with habits that make phishing and social engineering harder, making sure our devices are up to date, and perhaps even more important; know what to do if we think we have been compromised. Turning the training around from hypothetical risks, to actions we all can take to make our organisations safer, makes the training useful for achieving the primary mission we all have at work; getting our jobs done.
This is how we think about awareness training at Cybehave. Our unique competence is the combination of years of leadership and risk management experience with deep understanding of human factors and cybersecurity. We are now shaping a better awareness program that we believe will make us all better at getting our jobs done, even when cyber crooks attack. To do this, we ask ourselves every day: “what do you need to know about cybersecurity in your role?”.
An easy way to stay up to date with our work on better cybersecurity training, is to follow us on LinkedIn – we hope you want to do that too!