How often should you conduct cybersecurity awareness training?

Despite seeing cybersecurity training as effective, many organizations only conduct training once a year.

Every year CIRA publishes an annual survey of Canadian IT security decision-makers to better understand how they are coping with cyber-threats. This year’s survey was conducted by The Strategic Counsel in July and August, and collected over 500 responses from IT professionals across the country. This is blog four of five in the series for 2021.  

In 2018, the Cybersecurity & Infrastructure Security Agency (CISA) issued a public alert, “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors.” This particular attack focused on exploiting what the cybersecurity industry often considers the weakest link in any company’s security – humans.

According to CISA, the attackers learned about their intended targets and the companies they did business with. They used that information to launch a spearphishing campaign – meaning they sent emails tailored to specifically trick their target – and if the target was duped, they downloaded an infected payload. From there, hackers were free to collect information about industrial control systems that would normally be restricted.

In its advice on how to protect against the hacking campaign, CISA focused on cybersecurity awareness training, amongst other measures. Their message was clear: it’s not just the IT department’s job to prevent cyber attacks, it’s the responsibility of all employees.

End users must be trained on the common indicators of phishing and be instructed to report suspicious emails, the agency says. Turning our attention to the cybersecurity landscape in Canada – what is the state of awareness training at Canadian organizations? Are employees equipped with the knowledge they need to spot and report malicious emails? Let’s find out.
 

2021 data shows that most Canadian organizations are now conducting some form of cybersecurity awareness training

Employee training is now considered a best practice and Canadian organizations seem to be taking it to heart. According to our 2021 Cybersecurity Survey, 93 per cent of organizations conduct cybersecurity awareness training for at least some employees. 

Canadian organizations approach training with a variety of methods

The most common training method is to create training material and promote it internally (reported by 61 per cent of organizations). Lunch-and-learn workshops are run by 39 per cent of organizations, and 38 per cent of organizations license and provide access to a library of courses.

The fastest-growing training approach is phishing simulations. Such simulations ask the IT department (or a third-party service) to act as hackers and try to catch their employees with their guard down. 

Why is phishing training critical?

A joint study conducted by Stanford University Professor Jeff Hancock and security vendor Tessian shows that 88 per cent of data breaches are caused by employee mistakes. And half of the employees that participated in the study admitted to making an error at work that could have resulted in security problems.

Fooling an employee into clicking on the wrong link or open an attachment is one of the simplest ways for a hacker to get their payload into an organization. Alternate attack vectors require either physical access,  a sophisticated hack requiring technical skills and lots of time, or an unpatched vulnerability that bots can find. Employees that receive dozens of emails a day are likely to slip in their judgment sooner or later and the goal is to minimize the likelihood and impact of that happening.

Workplaces may want to consider training more frequently

If you’re thinking about increasing the frequency of training activities, there are two important considerations.

1. You don’t want to overdo it with training. If there are too many mandatory courses assigned, employees will feel burdened by what’s required from them. There is a balance between teaching users critical behaviours and taking up too much of their time.
2. IT teams can also consider a third-party platform, like CIRA’s Cybersecurity Awareness Training to offload some of the time and resources required to educate employees. Pre-built courses on a variety of topics and hundreds of pre-built phishing simulations help teach users various aspects of cybersecurity awareness.

That being said, there are a few reasons why training once a year might not be frequent enough:

• Learning new behaviours takes time. A message I often share when speaking with audiences about phishing simulation training it takes time for users to recognize commonly used phishing cues (like imitation logos or suspicious URLs) and build the habit of reporting these suspicious emails to IT. Monthly phishing training with emails gives users the opportunity to make reporting incidents second nature. Not to mention, cyber criminals are constantly evolving – with frequent training touchpoints, security teams can educate users on new threats and tactics being used.
• Training works. One key finding from our research was almost all (95 per cent) organizations are convinced training is effective in reducing security incidents and risky online behaviour. If training is effective, then conducting it more frequently (even just with a segment of higher risk users) could result in fewer incidents.
• Threats evolve over time training needs to stay relevant. While scams and cyber attacks usually have common core elements – cyber criminals constantly tweak their tactics in order to be successful. It seems as if organizations understand that, adapting their training to suit the remote work reality. Our research found that eight in 10 trained their workers on the topic of working remotely securely, and 79 per cent gave training on using video conferencing software securely.

Read another blog in this series on the CIRA 2021 Cybersecurity Survey, where we further explore how organizations have adapted to the pandemic from a cybersecurity context.