The Sorry State of Cybersecurity Awareness Training

Rules aren't really rules if breaking them has no consequences.

In today's dangerous cyberworld, corporations often say that cybersecurity is now a top priority for them, especially after all the massive data breaches we've been hearing about on a day-to-day basis. But one has to wonder, if that's case, why are so few companies doing cybersecurity training properly?

Sadly, the most common and detrimental thing that many companies are doing wrong when it comes to training employees on cybersecurity is a big one: they aren't doing it all.

Regardless of industry or company size, I've seen way too many companies that aren't implementing any sort of cybersecurity training, not even at employee orientation. It's also important to note that the companies that do implement security training, but only conduct it at new-hire orientation and then never mention it again, are not much better. Many companies fall into this category.

While employees are getting some sense of what to look out for when they receive training, the threat landscape changes so quickly that the information becomes obsolete within weeks or months and, without regular reminders, it's out of employees' minds quickly. In other words, the information is no longer top of mind.

Finally, very few companies are having regular cybersecurity training programs and refresher courses. I recommend companies do training updates once a month throughout the entire year, and I only know of a handful of companies that are actually doing this.

The next step after implementing a regular cybersecurity training program is to put in place policies and procedures to enforce what's learned. Again, I'm seeing almost no companies doing this, so employees aren't being held accountable for skirting proper procedures that would normally protect their company from different cyberthreats.

Results in the Real World
The longest it has ever taken for me to hack into a company's system remotely through tactics such as phishing emails is minutes. Usually, I'm already in the system 10 minutes after the phishing email has been sent. When doing on-site tests, if we properly cased the company (which a good hacker will), we are in within an hour. This is a clear illustration of the need for better cybersecurity training.

For example, at one social engineering engagement I performed at a large oil and gas company, I was able to get into the organization and gain full run of the computer network in under an hour, and no one stopped or questioned me. While they did have an information security training program in place, no one was enforcing the practices being taught. Because I could penetrate their network so quickly, the CIO had to be in the exit interview with me, though that was not the initial plan.  

Another example is from a very large retailer. During the company's cybersecurity training process, I came in to do a social engineering test on the employees. The training should have been top of mind because the employees were currently going through it — the person who let me into the office even said that she was doing training at the moment and knew she was not supposed to let people in — but then she let me in anyway. I quickly gained access to the computer network once I was in the building, and there were no repercussions to the employees. This is a key example why there is much less likelihood that employees will be mindful of security practices that the company expects them to adhere to if there is no enforcement of the rules.

Simply put, there must be some sort of policy and enforcement in place for not adhering to security policies, such as a counseling session, but I see no companies doing this. Without enforcement, employees see the training as onerous. They simply ignore what they have learned, or don't take the training at all, claiming that they're too busy.

To be effective, companies need to stop treating cybersecurity training like a box to check off for compliance purposes and take it seriously. Once that happens, employees will take it seriously as well.

By Tom DeSot