Cyber: How to Fix the Human Factor

Cyber attacks aren’t changing every five years — it’s more like every five months. Firms can’t afford to fall behind on security training.

More than ever, chief security officers are being held accountable for keeping their businesses safe. Phishing attacks, data breaches, ransomware and the ever-increasing access by employees to technology and data are driving this accountability. But there’s only so much that technology solutions can do to protect against threats. What else should organizations do? It turns out that most breaches are the result of an employee mistake, so looking to their staff as their first line of protection is a critical success factor today. Security awareness training is now recognized as one of the critical components of a robust security architecture. But are employees getting the security awareness training they need and deserve? Unfortunately not. Too many organizations still choose to provide no security awareness training at all, or simply provide annual PowerPoint-based training program, or training that is dry and difficult to understand. See also: Quest for Reliable Cyber Security   Employees often think they’re prepared or think, “That’ll never happen to me” — until it does. Then the employee often is too ashamed to go to a boss or IT department after an incident occurs. Traditional training doesn’t work The information and best practices the employee received from training were never understood, didn’t seem relevant or just didn’t come back to him. What happened? Cyber attacks aren’t changing every five years — it’s more like every five months. Organizations can’t afford to fall behind on security training. Employees must be armed with the knowledge and skills to protect themselves and their organizations. Traditional, outdated training does little to prepare workers for the deluge of cyber attacks they face or the risks they create for themselves. There are ways to make a change in the workplace. Instead of training employees as passive observers, make training interactive and teach actionable, real-world skills. Recognize that hacks happen Instead of instilling a mindset that an incident must never happen, give employees the confidence to speak up, even if they make a mistake. Instead of focusing solely on security, focus on learning, too. Make training brief, fun and sticky so that it is always top-of-mind when needed. Instead of focusing on a single type of risk, prepare employees for the range of security threats they’ll face, whether from an external cyber attack or from their own use of technology or access to data. See also: Cybersecurity: Firms Are Just Sloppy   Hacks can happen even if the staff practices security procedures. Look at the victims of the Twitter Counter breach. No actual Twitter accounts were hacked, but a third-party application was, and the hackers left unnerving tweets on organizations’ accounts. Employees should be prepared for events like this. Practicing real-world scenarios can help prepare for the worst-case events. Training needs to keep up with the technology that employees are using and the risks they face. It’s time to stop using outdated training techniques and for organizations to invest in their employees and assets by providing security training that will make a difference and change the behavior of its staff. They can’t afford not to. This article originally appeared on ThirdCertainty. It was written by Marie White.

Byron Acohido

Profile picture for user byronacohido

Byron Acohido

Byron Acohido is a business journalist who has been writing about cybersecurity and privacy since 2004, and currently blogs at


Read More