It’s an age old saying: If you think training is expensive, try ignorance. A phrase I personally think is a little harsh, but none the less true.
Here’s an example, it’s possible to learn the theory behind riding a bicycle from reading books, watching videos and talking to someone who knows how to do it. Let’s say this was your chosen way to learn to ride a bike, and you even take a theory test to demonstrate your knowledge. What do you think will happen the first time you jump on the bike to ride it? Unless you are a natural, it’s highly likely you will crash and fall off. There is a distinct possibility you could hurt yourself, possibly quite badly, as well as damage the bike.
So, what has this got to do with cyber-security I hear you ask? Much in the same way that you wouldn’t ride a bike, drive a car or fly an aeroplane after reading a book, it stands to reason that training, and appropriate training at that, with the relevant amount of practice really is a very good idea. This does raise an important question: Why don’t all organisations give their staff appropriate Cyber Awareness training? I say ‘appropriate’ as it’s a key word here. In the same way as simply learning the theory to ride a bike without riding one just won’t cut it, and many of the ‘online’ courses that provide staff awareness training don’t offer much in the way of security value.
The benefit of user training
All of the best security technology can be circumnavigated by a user with permission. In order to get around the technology, all an attacker has to do is get a user to do something. This is the essence of social engineering and phishing, and it is very successful as an attack vector. So much so, 91% of all cyber-attacks (according to cofense) start with social engineering of some type.
How does user training help? In much the same way as teaching someone to ride a bike, with safety gear, in a managed environment will help someone gain the skills and confidence needed to tackle the downhill. Appropriate, interactive user training with a knowledgeable trainer can provide more security value in half a day, than all the email anti-spam your budget will allow.
A cautionary tale
A new organisation recently came to us during a ransomeware outbreak and asked us to help resolve this for them. This was a fairly ‘typical’ type of attack, in that ransomware had infected a PC, and had then set about encrypting all of the files it had access to. Luckily, the customer had good backups in place which were stored offline, so we were able to restore the data. However, in order to prevent further spread of the ransomware, we had to quarantine the primary file servers on the network. The result of this was that the organisation in question was effectively shut down for 4 days whilst we carried out the data restore and clean-up work.
We tracked the source of the ransomware to a user who had been enticed by a nice looking email claiming they had won an Amazon voucher, which they duly downloaded the claim form for. Of course, this was a file with a malicious payload from a compromised website. As it was a link, rather than a direct file, the email anti-virus didn’t pick it up.
What makes good user training?
As humans, we don’t really learn until we ‘do’. Simply listening to someone talk or reading some slides won’t cut it. Whilst the theory is good, and undoubtedly useful for background information, we like context and real-world examples. For me, good training should have the following:
- Why are we doing this? And why is it relevant to me?
- Background and context
- Real world examples
- A case study and exercises to work through
- Lots of interaction
- Tailored content relevant to the audience
- An engaging and knowledgeable trainer
- Good refreshments in a quality and relaxing environment
A reasonable question to ask yourself is, how much would it cost your organisation if you were without IT for 4 days? Our advice is to be proactive, and don’t hold off educating your staff.
Prevention is better than cure. Find out more about our Cyber Awareness Training for Employees and Cyber Training for Business Leaders. Email us at [email protected] or call 0330 403 0011 to discuss your training needs.
Author: Todd Gifford, Certified Information Systems Security Professional (CISSP), Head of Consultancy at Optimising IT.