Are your company’s cybersecurity trainings a waste of your time?
At many companies, employees are expected to take cybersecurity training to learn how to detect malicious emails and craft a secure password.
In some cases, the training can take hours. So is it worth it? Experts say that employees should have some form of training, but there’s room for improvement.
“I think cybersecurity trainings are absolutely essential. But I think they need to be modernized, and they need to be tailored to the organization,” said Chester Wisniewski, global field chief technology officer at security firm Sophos. “Right now, it’s a tick box for a lot of audits and for a lot of certifications, and for a lot of governments and rules, depending on the state and country that you live in.”
Because of that, Wisniewski thinks companies are doing the minimum.
“Staff members are watching comic characters for 15 minutes and taking a quiz about phishing at the end,” he said. Phishing is a practice where seemingly reputable emails, text messages or other forms of communication are sent to users in an effort to get them to reveal personal information or sensitive financial information.
One common scam Wisniewski sees is a type of money transfer that starts with an email from a fraudster claiming to be your boss, asking you to purchase gift cards so they can give them away at the next company meeting. The scammer then asks you to send them the gift card numbers.
“If you’re an executive assistant, it might seem plausible,” he said. “The boss asks you to do a lot of crazy things. But when it seems weird, the training should teach you to go to that person and confirm it.”
Why cybersecurity trainings fall short
Phishing is a huge part of cybersecurity training because it remains the top cybersecurity threat, said Joseph Nwankpa, director of cybersecurity initiatives at Miami University. And it’s become a bigger problem with more employees working from home since the pandemic started.
In an ongoing study, Nwankpa and other researchers found that effective training for identifying phishing attempts plateaus. They’re working with Miami University’s IT department, which is sending fake phishing emails to faculty and staff to see the rate at which they click on a suspicious link.
“After three training workshops, employees tend to develop cybersecurity training fatigue,” Nwankpa said. “In our experience, we did not see significant improvement with repeat offenders [who click on phishing attempts], even when they were directed to online phishing training.”
The training wasn’t enough to change behaviors, said Nwankpa, who’s also an associate professor of information systems and analytics at the university.
Nwankpa and Wisniewski said phishing emails have become more convincing because of the rise of generative artificial intelligence, like ChatGPT.
Grammatical errors and spelling mistakes have been the hallmark of bad actors, and employees are taught to look for them. But AI tools can generate emails without those gaffes, Wisniewski explained.
Another outdated practice: Teaching users to look for the company name in a link’s URL before clicking it.
“The problem is the real things we use don’t have predictable links in them anymore,” Wisniewski said.
Cybersecurity threats are always evolving, Nwankpa noted, which can make it difficult to craft the right type of training.
“It becomes so challenging to have training programs that are targeted to imagined threats or threats that we haven’t even seen,” Nwankpa said.
The cost of training
On average, companies spend between $20 to $25 per employee on cybersecurity training, Nwankpa said.
But the more sophisticated the training, the higher the price tag.
Wisniewski said there are companies out there that are taking the right steps to ensure cybersecurity. They’re hiring experts who will spend a couple of days with the company to understand the unique risks it faces, and then lead multiple, personalized training sessions.
That type of instruction can cost a total of $10,000 to $20,000, Wisniewski said. Yes, it’s pricey, but Wisniewski said it’ll be 100 times more effective than a generic course.
“There’s a whole industry of consultants and people that provide these services at a very high quality,” he said.
Use your “Spidey sense” to protect sensitive data
To protect yourself, Wisniewski said you should honor your “Spidey sense” and reach out to the technical professionals at your organization if something doesn’t seem right. He said if you’re handling other people’s personal information at your company, you should also learn what information needs protecting.
“Obviously, we all understand that Social Security numbers are sensitive and birthdates are sensitive. But there’s a lot of information that a lot of people don’t know that they may handle in their day-to-day work that in the wrong hands can be sensitive,” he said.
There’s a lot of emphasis in workplace cybersecurity training on creating secure passwords, which should be taught, Wisniewski said. But he’d rather teach his staff how to use password managers. These platforms help you create a secure password for online accounts and then store that information for you so that you don’t have to remember it.
“Right now, I fear that our training is focused on things that were valid 15 years ago, and a bunch of companies popped up and made some things to do some automated training on the cheap to let people tick the box that they’ve done some training for their staff,” he said. “They’re not teaching them modern things that will work. … I can’t spot the phishing link, and I’ve been working in anti-spam and fraud for over 25 years.”
There is one method companies can also use to prevent cyberattacks without shelling out a lot of money: telling people about your experience.
“Within Sophos, one of the things we do that I find very effective that doesn’t cost anything is sharing stories about attacks against our own organization,” he said. “People love listening to stories more than they want to watch the computer-based training.”