The employee who clicks on a spear-phishing link is the real danger

Employees represent the most significant vulnerability within any organization when it comes to cybersecurity. We’re all too familiar with the ransomware headlines of 2015 which have reached a fever pitch in 2016.

In fact, the increasing ransomware threat has caused a disturbing trend; many organizations have started stockpiling bitcoins, in the event they are hit, expecting that they will inevitably have to pay a hacker’s ransom.

Whether we’re dealing with ransomware or other types of malware, the most common vector for infection within an organization is the unsuspecting employee who clicks on a malicious link. This provides us with a solid starting point to tackle the problem.

If you’re a numbers person, I’ll graciously quench your thirst with the following: when we looked at data compiled from hundreds of phishing campaigns that we’ve conducted across thousands of users, almost 19% either clicked or opened an attachment contained in a phishing attempt. If 19% doesn’t seem like an overwhelming number, consider that nearly one in five people in your organization are likely to open a phishing attachment, and that one person could cost your company $3.8M in damages, according to industry estimates.

So the logical solution to address the increasing rate of attacks targeting employees (and one that regulatory bodies like the SEC outline as a mandatory compliance requirement) is to look at arming employees with the right cyber-knowledge to help them avoid becoming a victim.

So let’s train our employees, right? Not so fast! eSentire has been providing clients with face-2-face security awareness training for years which in the right circumstances is an effective option. But it isn’t always the right fit and moreover, awareness training runs into a common set of problems when delivered to the modern worker via traditional online or Computer Based Training (CBT).

There’s also a significant mindset shift that needs to occur from both vendors offering Security Awareness Training (SAT) and businesses looking to address the “weakest link” because employee vulnerability has been approached from an old way of thinking.

Here are three reasons why we need a different approach to SAT for the modern employee in the context of the rapidly evolving threat landscape:

1. Organizations aren’t looking at the big picture. Neither are SAT vendors.

   SAT vendors and organizations looking to arm employees with cybersecurity knowledge are looking at the problem from a compliance perspective rather than a protective view-point. Compliance is a good start but an old one. Yes, it checks the boxes, makes the board happy, and even supports cyber insurance. But does it actually protect your business? This has been the viewpoint from which many SAT vendors sprouted (satisfying compliance as the primary market need to address) and the principal basis for most organizations pursuit of a SAT solution, particularly for those subject to regulatory or other compliance or due diligence requirements. We must recognize that compliance does not equal protection. Nor will it evolve the way we address employee weakness from a protection-first perspective.
   
   

2. Addressing a changing and geographically diverse workforce isn’t easy

   Today’s organizations aren’t static; continuously employees leave and new ones join. And most organizations are geographically distributed with branch offices and remote workers.
   If you’re an IT leader or in the CISO office, these pose some challenging dynamics to contend with when determining how to best prepare your employees. It’s a challenge that has been difficult to overcome for most organizations and as a result, forces them to tackle it along the path of least resistance; generally, this means providing SAT in a way that addresses a very basic need - how can I reach every employee with cybersecurity training?
   There’s no disputing that traditional online or CBT training can reach a distributed workforce because after all, they are accessed via the internet. What is concerning though, is that reach is being used as the primary success measurement. Reach is a compliance-driven metric, and if we look at the problem from the protection viewpoint, we start to look far beyond reach as ameasurement to higher order ones such as knowledge-improvement, confidence and behavior-change.
   Traditional CBT and online SAT programs are simply not capable of supporting these new metrics because they’re designed to address one that was attached to an earlier problem – reaching all employees with cybersecurity training to “pass” some form of compliance audit or due diligence requirement.
   I can easily illustrate this point by shedding light on a far too typical occurrence when it comes to online learning at an organization: an employee completes the online training, never to return to it until it once again becomes a corporate priority 12 months later. We’ve all been there. We take a course only to forget everything we learned a few months later.
   Traditional online, “one-and-done” training boot camps simply fail to impact knowledge growth over-time because we forget what we learn if we aren’t continuously rinsing and repeating. We must evolve our metrics of success beyond reach to include improved and sustained employee cybersecurity knowledge over time.
   
   

3. Employees are busy and each of them has a different learning style.

   Without question, this is the biggest challenge of the three, and serendipitously, the one that addresses the previous 2 by default, if we can overcome it. Traditional training approaches—whether in the classroom or online —have been providing lukewarm results for years. According to a recent report by Aberdeen Group, 49% of organizations say their main employee learning challenge is ensuring that what is taught is actually understood and can be applied.
   This suggests we have to look at an approach that considers the various factors unique to training the modern worker; they’re busier than ever, juggling many different priorities, overwhelmed and simply don’t have the time to dedicate to training. Let’s also remember that our own brain and the way we learn is as unique to us as our individual schedules. The one-size-fits-all approach to learning no longer works, especially when it comes to the modern worker and the high cybersecurity stakes at hand. We must look at the modern worker dynamics in conjunction with cognitive learning theory to help keep employees engaged, motivated and continuously building cybersecurity knowledge.

The solution: merge proven brain science with cybersecurity curriculum

One of the most important advances in employee knowledge approaches is something called microlearning—a technique that will totally change the face of cybersecurity awareness training because it moves the needle beyond reach to focus on improving knowledge, sustaining it and enabling employees to apply it in the real-world. Microlearning is a technique of delivering learning content in short, bite-sized bursts (from three to five minutes), several times per week, or even daily.

When microlearning is delivered in a consistent, ongoing way, you have the ability to drive continuous learning, build up knowledge over time, and produce real behavior change that’s capable of creating an embedded human layer of security protection across every part of the business. Microlearning addresses the problems associated with traditional SAT and is evolving the industry to think well beyond compliance. It’s being used at some of the world’s largest companies like Toyota, Walmart and Toys R Us to solve the numerous challenges when knowledge-building in a corporate setting..

eSentire’s new Training Day^TM security awareness training solution leverages microlearning to meet the needs of the modern worker to help organizations move beyond a pass in compliance to an A+ in overall security.