By: Rebecca L. Rakoski, Esquire
Patrick D. Isbill, Esquire
Employees are an organization’s most valued asset. The engine of any business is only as successful as the mechanism driving it forward. The degree to which it maintains a highly-skilled, as well as highly trained, workforce often defines this unique mechanism and dictates to a large extent its direction for fulfilling its potential goals for growth. But cursory concerns over data breaches and a lack of attention to cybersecurity initiatives stemming from an underestimation of the corporate threat landscape can be both costly and broadly consequential. So it is no surprise then that both the White House and Congressional lawmakers last June called on the private sector to “step up” their efforts to address corporate cybersecurity by examining any long-held resistance or hesitation toward shoring up defensive security and privacy programs.
Stepping Toward Employee Training
But before any organization can “step up,” it should first “step toward” a mindset that embraces strategic cyber awareness employee training, incorporating actual scientific principles of psychology and behavior to engineer a higher success rate of fending off a cyber attack. Typical defensive game plans in cyber often conflate what is really a people issue with a technical one. A company’s most valued asset (its employees) can turn into its biggest legal liability (costs/enforcement) by ignoring the fundamental advantages of implementing scientifically targeted cyber awareness training. Using employee training specific to statistically patterned behavior points can have the effect of significantly reducing the probability of compromised systems from a cyber breach, or in some cases contain the point of entry to a fixed but defined area to mitigate overall damage.
Probabilities favor error over accuracy. Experts generally agree that cybercriminals only need one employee to make a mistake. This can take several forms, including clicking on a bad link in a phishing email, transferring money to a fraudulent account, or inadvertently downloading a virus from the internet. Given this mindset and tactic, employees are therefore by definition the corporate front line in the cyberwar against hackers. For some time now, cybersecurity experts have known that true data security is neither a broad-gauge problem nor a purely technological one, but one that is layered and interdependent on the strengths of the defenses around it. This is why most regulations and standards require a measured degree of training and where the starting point of implementing a strong security program really begins.
Examples of Training Techniques
As things currently stand, cybersecurity training is usually accomplished by rote procedures that are oftentimes antiseptically rolled out and ordinarily outlined by mechanisms many agree are uninspiring. Even more disconcerting, companies frequently cannot determine whether the training is even working. Many organizations will even go on to reflexively add a pro forma test at the end of the cybersecurity training, which regrettably does not usually indicate whether the employee learned anything or more importantly whether it will prevent the employee from clicking on a real phishing email.
Another training technique organizations tend to gravitate toward is the use of phishing campaigns to “test” the preparedness of their workforce. Again, this type of test is also limited in its scope and ability to work toward an effective solution. Such a “test” has decent commercial appeal but gives the organization only a partial picture and a hazy one in any case. Phishing campaigns show “what” action an employee took by definitively clicking an applied link but fail to answer the demonstrative question of “why” the employee clicked. The precision of the answer to this “why” question might be used by an organization to build or fortify existing policies and/or procedures that could potentially stave off such an action company-wide next time when it counts for real. Accordingly, organizations should keep in mind that click rates are solid starter tools but clearly not the whole work bench by most accounts.
Both of these cited examples, i.e., rote cyber training and phishing campaigns, leave a lot of uncertainty in the air for any organization looking to diligently shore up its security and privacy programs. All the while, costs skyrocket for defensive cyber protection the C-Suite cannot really illustrate or explain. So the best step to take for emerging from this cloud is usually the first one. Organizations need to first understand the “why” in order to increase the odds of preventing a cyber attack from penetrating these well-intentioned cyber defenses.
To solve this urgent problem centered at the core of the corporate infrastructure, organizations need to address two critical areas: (i) employees need to be trained on “how” to recognize risks and “how” to respond appropriately thereafter, and (ii) employers need to teach employees “how” to achieve situational risk awareness and keep it at the forefront. In the current security awareness environment, training programs fail for the most part because they sacrifice the human component by relying heavily on automated boilerplate video training that often fails to engage the employees in the actual training. As a result, employees see this type of training as something they have to do, or a box they have to check for their employer, rather than something tailored and applied to their individualized department.
In fact, most of us agree no two departments are alike. The needs specific to situational risk awareness for research and development may be altogether different than those for human resources. Furthermore, it cannot be overstated that each company must identify the location of its golden eggs, i.e., high-ticket assets that act as the lifeblood of the organization and must never be compromised. Once this identification is made, digital security can then begin to be assembled from the inside out, managing possible routes and dictating how exactly data gets sent out. There is an enormous difference between tailored training for each unique departmental infrastructure housing a category of data or assets to better apply risk mitigation than a boilerplate overlay that never actively educates employees on how to avoid falling prey to cyber pitfalls specific to their departmental vulnerabilities.
As mentioned earlier, it is already an unfair fight before the bell even rings, typically with employees having to continually fend off and recognize multiple schemes while hackers often only need one misstep to open a point of entry. It is not uncommon for organizations that are hacked to have indeed “trained” their employees but to have ultimately failed to create a strong practical and effective cybersecurity and data privacy program. Because when it comes to training, results are the bottom line key indicators of efficacy. And with so much on the line for so many companies and margins getting tighter by the fiscal quarter, there is just no room these days for error or underestimation. Properly designed and executed cyber awareness employee training is a crucial focus point for organizations looking to “step up” in order to “keep up” in today’s relentlessly competitive global digital economy.
Strategically Measured Training Using Science as a Primer
In light of the growing digital challenges facing business today, a new face for cybersecurity awareness needs to be measured in order to continue to provide secure asset integrity, minimize legal liabilities, and advance positive growth. Privacy and security programs need to have the ability to quantify security awareness to determine by what degree employees are informed and aware of security risks. When it comes to adding value to an organization using a security awareness program, it is useful to have a set of measurables to analyze effect and therefore contextualize valuation.
Properly defined analytics and the rise of artificial intelligence are making detection of potential insider threats easier and less intrusive. Likewise, measuring variables like perceptual decision-making can provide scientific insights into an employee’s cyber awareness that are quantitative and qualitative. Decisions equal what an individual employee perceives or understands as fact. Tailored behavioral analyses, on the other hand, take defined analytics a step higher by accounting for underlying interpretations and the situational actions one takes in response. This is how testing can be a valuable tool to reveal hidden or subconscious perceptions. Combined with objective situational assessments that include a time component, it sheds light on an individual’s response to various cyber threats. In short, binding these factors together is what leads to better predictive models of cyber vulnerability to determine levels of preparedness. A corporate CISO can in turn use this information to develop and design training programs that match threat degrees and is tailored to employees’ particular environment and job responsibilities, creating an effective cyber awareness program that significantly improves the odds of understanding how to prevent a cyber incident.
Businesses thrive in large part because they do things better, not more frequently. The prevailing thought over the last several years has been to employ the same poorly designed and generalized applications of cybersecurity training with minimal consideration of what actually works. This begs the question of course. Why keep attempting to manage a square peg in a round hole but expecting a distinctly different outcome? Measuring an employee’s aptitude and predisposition toward cybersecurity will allow an organization to go beyond a simple click rate survey to understand instead “why“ the employee is still clicking.
Using this metric, tailored analytical training can increase the effectiveness and bottom-line value of making decisions based on analytics. Tailoring a program to individual employees based on their unique metric and organizational directive in the company infrastructure will dictate the degree of success and advantage a security and privacy program can bring to an organization. As a parallel example, some pharmaceutical researchers are currently looking at therapeutic treatments specifically tailored to an individual’s DNA sequence. Based on research to this point, this type of breakthrough treatment specific to the individual patient could reduce unwanted and unforeseen consequences. The same principle applies here. An output calculated to predict cyber readiness and/or vulnerability will increase the benefits of a security and privacy program through tailored analytical consideration to better understand the individual and also then better train the organization’s most important, but often highly unpredictable, variable – its employees.
Conclusion
Strategically engineering employee training that uses science as a primer is a solid start toward reducing corporate cyber risk and liability. Risk mitigation is by definition a forecast of potential pitfalls ahead. Strategically measured cyber awareness employee training coupled with tailored analytical consideration can help lower a company’s legal risk profile and efficiently educate employees to avoid cyber minefields counting on reflex rather than awareness. So both policy and decision-makers in Washington, D.C. have thrown down the gauntlet, asking businesses to “step up” their cyber awareness and readiness. The private sector is unquestionably capable of meeting the moment and leading with its typical enthusiasm for innovation and practicality. Improving their corporate cybersecurity infrastructure after all is not just good policy but bankable business too.
Reprinted with permission from the March 10, 2022, issue of the New Jersey Law Journal. Further duplication without permission is prohibited. All rights reserved. © 2022 ALM Media Properties, LLC.
This article does not constitute legal advice or create an attorney-client relationship. The information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.