Employee Education. PHOTO: Cybercrime Magazine.

We Can’t Do Security Awareness Training Like This Anymore

Advice for training employees on cybersecurity at large enterprises

Steve Morgan, Editor-in-Chief

Sausalito, Calif. – Sep. 10, 2020

“Well intended users can wind up causing massive damage,” says Ashley Rose, CEO at Living Security, when asked about the recent Twitter Hack that targeted 130 user accounts, 45 of which were compromised allowing intruders to initiate a password reset, login, and send Tweets.

Some things never change.

Security awareness training is a decades-old practice, dating back to a time in the 1980s when PC users at government agencies and large corporations were being warned about viruses — such as The Morris Worm — which were infecting machines and rapidly spreading to others.

Thirty years later and much of our global workforce is still unprepared to detect and properly react to hostile cyber activity.

Rose’s new wave mantra is “security awareness training is broken,” and she won’t stop repeating it until there’s a sea change in the employee education space.

Last summer, the headline news surrounding Twitter was a “Hack on @Jack,” its CEO Jack Dorsey, who fell victim to a SIM swap attack. A year later the social media giant suffered a breach involving numerous high-profile business executives and celebrities.

A Twitter post named four steps the company is focused on in the aftermath of the breached accounts. The last but not least is “Rolling out additional company-wide training to guard against social engineering tactics to supplement the training employees receive during onboarding and ongoing phishing exercises throughout the year.”

Apparently whatever Twitter has been doing isn’t working. Maybe it’s broken. “Twitter employees have been focused on connecting the world, not securing it,” says Rose, who is quick to point out that Twitter is no different than scores of organizations globally.

Cybercrime TV: Ashley Rose, CEO at Living Security

Security Awareness Training is Broken

Training employees on security — one of our industry’s reactions to viruses, malware, data breaches and other types of cyberattacks that wreak havoc — has evolved over the years, but has it gotten any better? Or if Rose is right in her assertion, then the more important question is — what’s broken, and how do we fix it?

“Who remembers the last test they took in college?” asks Rose. “Nobody. But everyone remembers the first party they attended.” Lesson learned here, for security awareness training managers — if your employees are going to be cyber aware, then they need memorable security learning experiences. Otherwise they’ll forget everything and continue clicking on phishing emails that are plaguing your business.

You can explain to an employee what a SIM swap attack is, how it works, and the harm it can cause. Or, you can show them a video of Rob Ross, a victim, practically sobbing as he describes how a hacker stole a million dollars from his cryptocurrency account. The money, which was his entire life savings, a portion of which was earmarked for his daughter’s college education, will never be recovered. Ross, a former Apple engineer, is determined to help protect others by sharing his story.

When the employee is on the receiving end of a vishing call, what’s more likely to pop into their head – the SIM swap training, or an image of Ross?

Take spear phishing attacks as another example. What’s more effective — a presentation explaining how these highly targeted campaigns go after specific individuals, or listening to the who, what, where, when, and why of an attack that cost a former bank vice president more than a half-million dollars? Lynn Weidmer, a Long Island resident, fell victim to a wire fraud scam that claimed her life savings. Her real estate attorney and broker sent Weidmer emails, or so she thought. When she contacted the local authorities and the FBI, it was too late.

Next time the employee gets a phishy email, what will they think of — slideware they watched on when and why not to click, or Weidmer, who had previously been through corporate security training and yet was left nearly penniless after being hacked?

“It’s the experience that forms the connection in the brain and allows you to remember,” says Rose. That’s the premise of Living Security’s security awareness training platform. “We create compelling and memorable content that creates a security experience (for an employee).”

Be honest — is your security awareness training broken? No worries. Rose assures that what’s really broken is an organization’s mindset, and changing it is not a monumental task — even for the largest enterprises. You can take the first step by saying “We can’t do security awareness training like this anymore.”

To learn more about Rose’s outlook on security awareness training and culture, sign up for Living Security’s “Breaking Security Awareness” virtual conference. More than 1,000 people attended for sessions on threat intelligence, gamification, human targeting, and behavioral design.

Living Security Archives

Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.

Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.

Sponsored by Living Security

Experience a game-changing security culture.

Living Security co-founders Ashley and Drew Rose recognized that traditional security awareness programs were failing to move the needle and it was time for a fresh approach.

Our immersive training experiences engage the enterprise using science-backed techniques to motivate behavior change and refreshed content that’s relevant for the current threat landscape.

Our science-based approach drives user engagement and reinforces positive security behaviors across the enterprise.