Three ways the IT industry can improve cyber security training.

Cyber crime has doubled in the UK over the last five years. It has cost businesses £87 billion since 2015 with 25% of businesses having being targeted by cyber crime in 2019. These startling figures paint a worrying picture, and whilst large companies are still those most likely to be affected, small businesses with 11 to 50 employees saw the steepest increase in terms of being targeted, rising from 28% in 2015 to 62% in 2019.

This leaves the IT sector with a big task on its hands. Whilst 45% of businesses took measures to fight malware in 2019 compared to only 26% five years earlier, the message isn’t working, in that cyber crime is increasing, and becoming more profitable for criminals. In the last five years, employees are still responsible for a third of all breaches, which is the highest cause, dropping just 1% since 2015. This is concerning.

In the IT sector, it would appear that the warnings concerning cyber crime are falling on deaf ears, and in some instances, it’s easy to see why. Everyone ‘knows’ that passwords must be secure, that updates must take place and that suspicious emails must be consigned to the recycle bin, but evidently the actions aren’t following that supposed knowledge.

This means that the IT industry must act. Education and training are widely considered two of the best means of combating cyber crime, especially given that end-users are one of the biggest weaknesses. However, this education is clearly, for the most part, not getting through in a tangible manner. The numbers continue to rise, and whilst there are other factors at play, the increasing reliance upon technology in the workplace for one, we cannot as an industry claim to be doing all we can as these numbers continue to escalate.

We believe that the best way to combat this is certainly the educational route. However, improvements must be made to the way in which this is delivered. Employees are increasingly busy and live stressful, high-pressured lives. Cyber crime, on the surface at least doesn’t appear to affect their day-to-day so there’s minimal incentive to focus upon it. As things stand, cyber security runs the risk of becoming somewhat similar to mandatory training exercises concerning health and safety – a tick box exercise, that once completed annually, is quickly forgotten.

So with this in mind, and as a business in the IT industry, what do we think can be done to improve cyber security training and education on the subject? There are three key improvements that we think would make a real difference.

1. Making training more creative, imaginative and enjoyable, but also relatable.
2. Eradicating a blame culture towards those users that fall foul of cyber crime.
3. Promoting improvements in personal behaviour that can be reflected in the workplace.

Making training more creative, imaginative and enjoyable but also relatable.

This improvement is almost a given, but it has to happen quickly. As mentioned previously, we have seen what overly formalised, unimaginative and frankly, dull training methods have done for health and safety. Health and safety is no doubt a hugely important aspect of everyone’s working life, and yet every year plenty of accidents still occur in situations that have been covered in depth during training sessions. The reason being health and safety training has become in some instances a means of meeting requirements and not one of meeting its original aim to reduce injuries at work.

Cyber security cannot afford to go that way. The wrong click of a mouse button could feasibly close the doors of a business costing jobs and livelihoods for those employed. The WannaCry cyber attack that affected the NHS, leading to 19,000 appointments being cancelled, which could have had numerous additional complications as a result. Therefore, training needs to be engaging and more than just a slide show or a presentation. If workers enjoy their cyber security training and can see where it relates directly to their day-to-day, there’s a higher chance they’ll take that knowledge back into the workplace.

One example of this is a number of workshops that are run by the South West Regional Cyber Crime Unit, who kindly ran a workshop for us last year. These workshops use Lego and what is essentially a roleplaying game, in which the participants (non-technical, decision-makers) manage the cyber security of a water processing plant. When we spoke to those that attended this workshop sometime after the event itself, they not only said they’d enjoyed their morning but had practical advice they had gone and applied in the workplace. Some of this applied knowledge would have no doubt been existing knowledge, just repackaged in a fun and engaging way, in the shape of many different Lego blocks!

Eradicating a blame culture towards those users that fall foul of cyber crime.

When a mistake is made that could have huge ramifications for a business a natural reaction is often anger. However, this tendency to want to punish incorrect behaviour is actually counterintuitive when it comes to fighting cyber crime. Whilst we wouldn’t ever advocate against the punishment of malicious behaviour, it is important for businesses to accept the difference between a deliberate act and an honest mistake. Unfortunately, mistakes do happen.

When they do, it’s important that we don’t seek to blame these individuals, as doing so will only make them (and others around them) more reluctant to come forward in the future, should something similar happen. In the event of a mistake being made, you want to know precisely what happened as soon as possible after those events took place. Blame culture impedes this. If an employee is worried or even scared about the ramifications of a mistake, they could delay telling you, or leave out critical pieces of information. In the worst-case scenario, they might not tell you at all!

Instead, we should be encouraging users to be as open and honest about their behaviours as possible, and when genuine mistakes are made, we should be giving them the confidence to come forward and pass on the relevant information to those that need it. Cyber attacks are designed to fool the recipients, so let’s not forget that those that fall foul of cyber crime are victims of a malicious act and are not complicit in the act itself. By engaging positively with these individuals and teaching them about the specifics of their situation, whilst encouraging an open and transparent culture to cyber crime, you will minimise the likelihood of threats being successful in the future.

Promoting improvements in personal behaviour that can be reflected in the workplace.

By and large, cyber crime is seen predominantly as a business problem, when in fact it’s a societal one. The reason employees are still responsible for a third of all breaches is due to the inherent weaknesses of users. Unlike machines and software, they have emotions, they get stressed and tired, feel unwell and forget things when under pressure. In other words, there is context to the way in which users operate.

Unfortunately, as we now adopt IT into our lives outside of the workplace, we’re bringing many bad habits with us into the office, and when things are difficult, we rely on those habits and not necessarily on best practice. For example, because we’ve used the same password for every high street brand when buying clothes online, we think nothing of using the same password for the new piece of accounting software the company has just purchased. After all, by using the same password, we won’t forget it right? The problem is, the more we use technology badly outside of the office, the more comfortable we are with those bad practices when we’re back in the workplace.

This means we need to start approaching cyber crime on a personal level and encouraging better behaviour at home and in our personal lives. People might not worry if their employer loses £1,000 to a phishing scam, especially if they’re a large business or have cyber security insurance. However, they’d almost certainly react differently if they lost £1,000. As an industry, if we can get people to consider how their behaviour might affect their personal lives, and build good practice from there, then we can expect individuals to carry that positive behaviour back into their working life.