The conversation around security awareness training is often focused on time: how often should you conduct training? How long should training take? When is the right time to increase awareness? What’s the best way to keep employees engaged? It’s a balance between ensuring that any information provided remains relevant (which is difficult in a security landscape that is constantly changing) and retained.
When a woman who I’ll call Ria Moodley joined a global advertising agency in 2018, one of her first tasks when onboarding was security awareness training. The programme consisted of a few screens with dated illustrations that she needed to click through with multiple choice questions at the end. “I remember one of the questions was about finding a USB stick lying around the office. Would it be okay to plug it into your computer without knowing who it belongs to?” Checking a few boxes, Moodley received a certificate to acknowledge that her training was complete and that’s where her learning ending.
Five years passed and while the advertising agency has grown substantially, the training programme is the same. And it’s not to say that people aren’t still using flash drives, but, rather, that the security industry has evolved over the past decade. Cybercriminals are upping their game, sometimes with the help of AI, and phishing continues to be one of the most effective ways to obtain unauthorised access into organisations. According to a global study by Positive Technologies, in 2023, 43% of all successful attacks used social engineering, with 79% of these attacks carried out through email, SMSes, social networks and messaging apps.
Social engineering scams
Complex social engineering threats like multi-factor authentication (MFA) fatigue attacks – also known as MFA bombing – have seen high-profile technology giants fall victim, with Microsoft reporting over 382 000 attacks over a 12-month period. MFA bombing is a type of attack that is designed to cause workplace stress, and it usually begins with a phishing email. Once a link is clicked, the user will be subjected to a nonstop bombardment of verification messages that require a simple “yes” or “allow” answer. If this happens to an employee who is already overwhelmed or under pressure, a fraudulent MFA request may not be so easy to spot.
Security awareness training isn’t just a way to improve the security of any organisation – it should be a critical component of a business’ overall security strategy. But how a business goes about security awareness training requires careful consideration. Nemanja Krstić, Galix’ operations manager for managed security services, says that addressing cybersecurity threats requires more than just checking a box with routine security awareness training. “While many companies believe implementing a cybersecurity platform and scheduling employee training is sufficient, the effectiveness of these efforts is crucial,” he says. “From an insurance standpoint, the premium rates for cyber insurance are not solely based on the mere existence of awareness training, but on its practical impact.”
Security’s Bermuda Triangle
While the human factor is central to strengthening an organisation’s cybersecurity posture, Krstić explains that it is essential to provide employees with relevant content that fosters understanding and a sense of purpose. Comprehensive training programmes need to incorporate the latest trends and techniques in order to stay relevant. There’s also the fact that learning comes in different forms and the most effective delivery method for security awareness training depends on an individual’s learning style and preferences.
“Cybersecurity is all about practice – doing something with your hands,” says Vladimir Dashchenko, a security evangelist at Kaspersky. “This is how people consume and remember information.” He believes a lot of training courses that companies buy today are not only expensive, but also boring. “Gamification, from my point of view, is the only way people can process a large amount of information in a short period of time,” he adds. What’s interesting is that a lot of security challenges come from senior management roles. While business leaders focus on sales, dealing with cybersecurity issues is usually the responsibility of IT and IT security staff. A report from Vanson Bourne titled “Trouble at the Top: Why the C-Suite is the weakest link when it comes to cybersecurity” uncovered that 76% of CEOs bypass security protocols to get something done faster, often sacrificing security for speed.
When different leaders in an organisation have different priorities, it can result in a decision-making “security Bermuda Triangle”. One of the ways Kaspersky is addressing cybersecurity’s people problem is with KIPS, or the Kaspersky Interactive Protection Simulation. With KIPS, participants are placed in a simulated business environment as members of the IT security team, where they’re faced with a series of cyber threats while having to keep the company running smoothly and earning revenue. They must build a cyber-defence strategy by choosing from the best proactive and reactive controls available to them. Every choice they make changes the way the scenario plays out and, ultimately, affects how much revenue the company does – or doesn’t – make. “It’s an extended version of Monopoly, a tabletop game. Each scenario can be played out in three to four hours and it’s your responsibility to run the business,” explains Dashchenko.
Why KIPS works is because it shows the role cybersecurity plays in business continuity and profitability as well as why it takes both business and security teams to come together to maintain stability in the face of cyber threats. “After playing this game, you see how people start thinking in a different way about how to invest money, how to properly use resources, protect infrastructure, make fast decisions,” says Dashchenko. KIPS has been translated into 15 languages and is being used by a number of government agencies (like CyberSecurity Malaysia, the Czech Republic’s NSA and Cyber Security Centrum in The Netherlands) and the head of computer security at CERN, Dr Stefan Lüders.
PLAYING THE GAME
There’s no question that the way to prevent hacks and data breaches is through continuous training and awareness programmes. While traditional learning options like PowerPoint presentations may not keep employees engaged, there are a number of online games worth checking out:
The Cyber Challenge
An online initiative created by the US Department of Defense, The Cyber Challenge consist of five mini games – protect, defend, analyse, strike and the “ultimate challenge” – that put security skills to the test. In the first game, you’re tasked with setting up a security operations centre at a military facility. The end goal is to provide real-time monitoring, threat detection, incident response and forensic analysis capabilities to successfully mitigate threats in a timely manner.
Cybersecurity Lab
www.pbs.org/wgbh/nova/labs/lab/cyber/
In this online game, you’ll defend a company that is the target of increasingly sophisticated cyber-attacks. Your task is to strengthen your cyber defences and thwart the attackers by completing a series of cybersecurity challenges. Cybersecurity Lab’s training feels very relevant (from creating an avatar to naming a company) as you crack passwords, craft code and defeat malicious hackers.
Deep Space Danger
www.infosecinstitute.com/iq/cybersecurity-games
Created by Infosec, Deep Space Danger is a choose-your-own-adventure style game that teaches the basics of social engineering through video. What makes Deep Space Danger exciting is its animation style and well-crafted dialogue – it looks like it belongs on Netflix, but manages to teach security awareness at the same time.
Guardey
Guardey’s user-friendly security awareness game teaches employees to recognise and neutralise cyber threats. Guardey’s training is made up of weekly challenges, created by ethical hackers and education experts, that can be completed in a few minutes. While Guardey isn’t a free-to-play online game, it does offer a 14-day free trial.
Share
* Article first published on brainstorm.itweb.co.za