Most Security Awareness Training is Insufficient and Should Lead to Consequences
Maybe company executives who don’t engage in real world security awareness training should suffer the consequences for their insufficiency.
An excellent Help Net Security article is titled “What CISOs need to keep CEOs (and themselves) out of jail” discusses many of the fundamentals of cyber security, what security leaders should be doing, but aren’t doing, and so on. The article makes no mention of “security awareness training” but it does explicitly state “The overwhelming majority of major breaches and attacks involved human error.” Which, of course, could often be averted with security awareness training that enhances digital literacy.
This author and his team have reached out to thousands of CIO/CISO’s for city and town municipalities whose sole responsibility is to maintain the cities IT infrastructure and security. And often, when approached to assist in their security awareness training to enhance a change in behavior, the response is generally “We use a third-party company that provides phishing simulation training, we’re all set.” Frankly, that response sucks. What it says is that the CIO/CISO is providing the absolute bare minimum of training that facilitates whatever legal-compliance is required.
Interestingly, many of these municipalities use Proofpoint, who do fine job, but it’s not enough. Speaking of, a The Hacker News article titled “Proofpoint Email Routing Flaw Exploited to Send Millions of Spoofed Phishing Emails” further states “The cybersecurity company has given the campaign the name Echo Spoofing. The activity is believed to have commenced in January 2024, with the threat actor exploiting the loophole (at Proofpoint) to send as many as three million emails per day on average, a number that hit a peak of 14 million in early June as Proofpoint began to enact countermeasures.” OUCH.
Anyway, back to “but it’s not enough”. Phishing simulation training does one job, it is designed to change behavior in regards to preventing phishing. And while that may lead to compliance, it doesn’t actually solve various real-world security problems, nor does it significantly enhance digital literacy or fundamentally change people’s behavior regarding what security is and more importantly, what security isn’t. Most people have a false notion of what security is, where they think it revolves around paranoia, fear, worry, etc. and it doesn’t.
If compliance is all you, the CEO/CIO/CISO are going to do, maybe you SHOULD go to jail. Recent headlines “Boeing accepts a plea deal to avoid a criminal trial over 737 Max crashes, Justice Department says” point to everything Boeing DIDN’T DO to ensure safety. Really, what’s the difference between what Boeing didn’t do regarding compliance or providing the bare minimum of network security or compliance type security awareness training?
Data breaches, ransomware, network vulnerabilities, are becoming life and death scenarios. What happens when a hospital is hacked? What happens if traffic systems are hacked? What happens if GPS for airlines is hacked? What happens if the grid goes down for a significant period of time? The Justice Department/Boeing deal requires Boeing to invest at least $455 million in its compliance and safety programs. The Justice Department is saying your basic compliance isn’t enough, and it cost people’s lives.
Hell, Ars Technica reports a North Korean hacker got hired by US security vendor KnowBe4, which provides security awareness training in the form of phishing simulation training, the hacker immediately loaded malware into the company’s network. Employees seemed to be fooled by a stolen ID. The hypocrisy is endless. KnowBe4 is one of the best in the world at what they do. But still, “The overwhelming majority of major breaches and attacks involved human error,” even inside top security awareness training firms. Humans are hackable because we trust by default. And none of these companies are providing the necessary real-world security awareness training that fundamentally changes people’s behavior.
Here’s the deal, and I’ve wrote about this before, and this is what I present in all of my trainings, and none of this is presented by any of the security awareness training firms; Security goes against our core beliefs. Security is not natural, it’s not normal, it means that we don’t trust others. However, we trust by default. Not trusting others is actually a learned behavior. Security means that you are aware that there are others out there that may choose you as their target. That’s not normal. It’s not natural. No-one wants to think they are a target.
What’s normal is that we live happily ever after, we live together as one species in harmony. We trust each other, we are good to each other, we treat others as we want to be treated. We don’t hit, hurt, harm or take from one another. We are civilized creatures.
However, there is a small percentage of predators, uncivilized beings, we call them sociopaths, psychopaths, and hard-core narcissists. They are the criminal hackers, the serial killers, the rapists. They are a minority, and we choose to think they don’t exist. Or at least we deny they would choose us. We resist security practices, because it goes against what it means to be a civilized being.
The complexity of cybersecurity topics can overwhelm employees and consumers, making them feel incapable of understanding or implementing the necessary precautions. I blame pretty much every cyber security awareness training company out there. It’s not all about phishing simulation training. None of these companies have a clue when it comes to teaching individuals about risk. It’s not “do this, don’t do that” they have forgot what it means to be human.
1. Denial. Some people may deny the importance of cybersecurity or believe that they won’t be targeted by cyber threats, leading them to dismiss training efforts. Denial is more natural and more normal than recognizing risk. Denial is comfortable, it’s soothing, and it allows us to avoid the anxiety of “it really can happen to me”
2. Fear of technology. Individuals who are not confident in their technological abilities may feel intimidated by cybersecurity training, leading them to avoid it altogether. This, of course makes total sense. How many times have you gone in a vicious circle, a constant loop of not being able to log into an account because of two factor authentication not working or something else out of whack? Technology can be frustrating. If security is not easy, people aren’t going to do it.
3. Lack of awareness. Some consumers may simply not be aware of the risks posed by cyber threats, leading them to underestimate the importance of cybersecurity training. This is a real problem. This lack of attention to what your options are regarding anything security is common. Part of that lack of awareness stems from disbelief these things can happen to us, denial we can be targeted, and a relative “pacifist” attitude.
Addressing these barriers requires organizations to tailor their cybersecurity awareness training programs to be engaging, relevant, and accessible to all employees and consumers. This can involve using clear language, providing real-life examples, and offering support for individuals who may struggle with technology or cybersecurity concepts. It also means getting “real”. And cyber security awareness training companies aren’t going to do that, nor are their 2-dimensional employees, and most of them don’t have the ability to get down and dirty and speak “holistically” about life and security in the same sentence.
And if the CIO, CEO, CISO or in my case, the Mayor or town administrator, who oversees the budget of their CIO, CISO doesn’t think this kind of security awareness training is necessary, maybe they should go to jail too.
ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, and the architect of the CSI Protection certification; a Cyber Social and Identity and Personal Protection security awareness training program.