But don’t most organizations require their employees to get cybersecurity training? Maybe the training isn’t good enough and needs to be rethought.
That’s the basic argument from Sajed Naseem, chief information security officer for the New Jersey Courts, and Rebecca Rakoski, co-founder and managing partner at XPAN Law Partners. Both Naseem and Rakoski are adjunct professors in addition to being cybersecurity experts, so they bring abundant academic knowledge to the table. However, their suggestions for cybersecurity training go beyond the theoretical and address real-world psychology and behavior.
Their responses have been edited for clarity and brevity.
What do you think about how organizations tend to handle cybersecurity training?
Rebecca Rakoski: I work with a lot of organizations. This isn’t something that’s easy to do. Organizations really try. They want to do the right thing. They have videos for their employees to watch. They send out emails once in a while. But one of the big issues there is a lack of interaction. People have admitted this to me, “I watch the video, but I turn the sound off because I’ve seen it 12 times already. I don’t need to pay attention to it anymore. I can just take the quiz at the end and I’m fine, and now I’ve checked the box and gotten that completed.” That’s not effective training.
Employees are an organization’s greatest asset, and they’re also their biggest liability when it comes to cybersecurity because they’re on the front line. And hackers just need one of them to make a mistake. It’s critical organizations aren’t doing the check-the-box, watch-the-video type of training. That’s fine for supplemental, but I think real training should be done in person with a professor or a teacher or whatever you want to call it, and you should have the ability to ask questions. Plus, it’s harder to play on your cellphone when you’re in front of another person and they’re looking at you.
Sajed Naseem: I take the practitioner’s point of view. We see a lot of different cyber attacks. And what happens? People click on phishing emails. A lot of these organizations have training for not clicking on phishing emails. How does that breakdown happen?
You can get a driver’s license, right? But then if you hit the BQE in New York, or the RFK, or West Side Highway, or whatever, it’s a different story. Your driver’s license isn’t really working for you because you’re in real life. Cybersecurity is very much like that.
People are into gaming, sports, the news and more. What these hackers are doing is exploiting our psychological interest in something by giving us links associated with what we like. That’s the real-life part of it. My practitioner’s point of view is, are these trainings working in real life, yes or no? We have a mathematical proposal to understand the answer to that question and to further progress the training.
How has the pandemic affected cybersecurity and data privacy training?
Rakoski: We see that organizations are not necessarily going back to normal. A lot of organizations are going to use a hybrid model. You now have a larger attack surface. Many organizations were quick to spin up these new environments because the world shut down and everybody had to move. I think IT did a great job, but now you need to come back in and go, “If this is going to be how we operate, the policies have to change.” That means the training has to be done on new policies. If I’m working from a home office, maybe part of the corporate policy is that I operate on a separate network from the rest of my family. My kids aren’t streaming from the same network. We have a segmented network. And we can train on why we are doing that.
With COVID-19, you saw a roughly 700 percent increase in phishing emails. Hackers knew people were experiencing a different normal. They were sending emails on COVID-19, and you’re like “Oh! Let me click on this real quick!” Or they would send an email that looked like something coming from your kid’s school. As a result, we need to train a little bit differently. It’s not just “Did they click” but “Why are they clicking?” It’s not just “Are you doing training?” but “Is your training effective?” Those are the questions organizations need to be asking themselves.
Naseem: There was a news story over a year ago that said scientists had found a universe where time ran backwards. So maybe there was an alternative version of me talking about cooking or something instead of cybersecurity.
The pandemic has put us in different universes with these virtual and remote interactions. What if a user calls me on the telephone and wants me to change their password? How do we authenticate that person? That fundamentally is different in the pandemic. How would we know one person’s voice versus a deepfake voice?
Rakoski: This comes back to training. If I am training you on basic cybersecurity principles, you may not know our policy has changed on authentication. This is where security and privacy intersect. You have organizations who have to authenticate a data access request under Europe’s General Data Protection Regulation or California’s Consumer Privacy Act. Even with HIPAA, you can’t release data without authenticating the individual. It complicates things. You’re overlaying technology with general security, with IT security, with legal concerns, and it creates a very interesting web.
What needs to be done to make training better?
Naseem: Here’s the bottom line: If you can’t measure it, you don’t know what you’re dealing with. We must get to the point where we measure three key factors mathematically: knowledge, behavior and attitude.
Knowledge would be like “Does someone know what a phishing email is?” We’ve done programs at the New Jersey Courts where a user will click on phishing emails twice. They knew everything about phishing emails from a training standpoint, but in that decision-making process where they were looking at a phishing email, they would fail about 30 percent of the time. So this is about behavior and attitude, too. Some people look at a cybersecurity exercise and say things like “Oh, that’s common sense.” Not everything is common sense. You get phishing emails that look like encrypted emails. Things become grayer in real life.
Rakoski: We do these phishing tests to see if people are going to click an email, and you get a click rate. But are you understanding why they are clicking it? If you don’t understand the reason behind it, how are you going to change the behavior toward it? Understanding the why is the critical question. If we want to turn the corner, if we want to change the paradigm of people clicking emails, we must know why people are clicking things in the first place.
How can the fallibility of humans be taken into account with training?
Naseem: Through a multilayered security approach. The example I’m thinking of came before the pandemic during 2020. Shark Tank’s Barbara Corcoran had a bookkeeper who gave away $400,000 because she thought she was talking to the CEO of the company. Business email compromises are happening all the time.
Training is not just saying a bunch of words, but putting things into practice. What if there was a principle that any check above $5,000 needs to have a secondary cosigner? That would stop the $400,000 from disappearing. Put in layers of operational practices that people can follow.
Is there a way organizations can leverage employees as assets for cybersecurity training?
Rakoski: They can leverage their employees by measuring them. We’re going to measure you and understand what your knowledge, behavior and attitude toward cybersecurity and data privacy is. Based on that information, we can train you in a way that is focused.
Some people are going to be highly suspicious about a certain email, but some of them aren’t going to be. Some will want to click because they’re into the sports that are referenced in the link. Those are the things that we look to measure. Then we can arm people with knowledge about the problem, change their attitude toward the problem and thus alter their behavior.
I find that people see cybersecurity as something where everyone has the same experience. That’s not true. Different departments will have different levels of access. You need to understand everyone’s interaction with the system. Are they remote? Are they in the office? Are they dealing with finances? Are they dealing with HR data? Are they dealing with customer data? You have to understand these things so that people can know what they need to focus on to be a more effective employee.
You also need to constantly remeasure. No one’s perfect. Everybody’s going to make mistakes. The goal here is to reduce mistakes and thereby reduce liability from a legal perspective and risk from an organizational perspective.
Naseem: We constantly hear that cybersecurity is an organizational responsibility. It’s not that organizations aren’t taking cybersecurity seriously. I think they intend to take it seriously, but their perspective about cybersecurity could be flawed.
Cybersecurity is very much a leadership and management topic. It’s not so much a technical topic like people think. People believe the CISO or CIO can protect everything; you just put everything into a box and protect it. But we see within organizations that people are sharing gaming websites, cooking recipes and dog pictures that may have malware. Should we be sharing these things with an organization’s computer?
Rakoski: Organizations that look at cybersecurity as a technical problem are missing about 75 percent of it. The minute I hear someone say, “We just call our IT department” or “We have a great firewall,” you have missed the boat, you’re not even in the same harbor. It’s really not a tech problem. It’s a multidisciplinary, multidepartmental issue that everybody needs to be working on. It’s different when you have a data breach. You need a general in that situation. But in order to avoid that, you need everyone working together. I always think about it like a big battlefield. Your employees are at the front line of the battlefield, and everything else is behind them. Once one of them starts to fall, they all start to fall.
Are phishing test campaigns enough?
Naseem: No. The default to cybersecurity awareness is giving somebody a phishing test. So you get a phishing test that looks creepy, but the hackers are giving you a cute dog picture or a secret admirer who’s looking for love. It’s a complete disconnect. You’re focused on phishing tests, but the hackers are focused on cute dogs and love. Who’s going to win? Clearly it’s a psychological process that hackers are aware of. They’re not breaking your firewall. They’re breaking your mind.
We’re not saying we understand everything. We’re saying that we want to measure all of this.
Rakoski: Phishing campaigns are great, but it’s only telling you one piece of it. It’s telling you that they clicked. That’s it. It’s not telling you why they clicked. And they’re going to keep clicking. I used to say they’re happy clickers, but we’re simply not arming them well enough. There are no bad students. We just have to teach them better.
What is the benefit of focused training?
Naseem: True cybersecurity awareness is specific to the individual in a particular job. If you are in the finance division, and you’re constantly dealing with checks and electronic PDFs, you’re going to get training specifically in that area, and we have proposals on how you can change your business practices to prevent business email compromises, for instance. It’s not going to be like some academic subject you learned in class.
The yearly cybersecurity videos are not working. Maybe they’re working for a few, but how do we measure that?
Rakoski: It’s like saying to a general practitioner, “Here, go perform brain surgery.” That doesn’t equate. They’re not going to be able to do brain surgery. When you’re training people specifically, you’re training them on their job and how practices affect their day to day. You’re giving them what they need every single day. It’s a different approach.
