How cyber-fit is your organisation?by
Mark Brown warns that traditional training techniques are a waste of money when it comes to keeping cyber criminals at bay.
Most managers and HR directors would say that training has been transformed in the past 10-15 years. I’d agree with them that the general methods of delivering training have certainly improved: the advent of e-learning, hybrid training and online courses has definitely made the process of training more flexible. It may even have had a hand in more SMEs putting training higher up their list.
Where we might part ways is to do with the content, timing, and lasting impact of the training we put our people through. Does it stick?
Does it actually influence or change behaviours? Are you getting real value for money for it? I think not. And that’s because most training – in the cyber security sector undoubtedly – tends to be just about ‘telling’ people things. And I’m afraid that’s not good enough. Not for an area of your business where failure to act means your data, records and perhaps entire business could be at risk.
Someone going through their emails in a rush before the 9am meeting will click on that link because that’s the mindset they are in
90% of successful cyber-attacks are down to human error
Think about it for a moment. How much have you invested in sophisticated IT, dedicated firewalls, tests on your systems and new technology? Now, how much have you spent on making your people more cyber aware? I’m going to stick my neck out and say you might have spent up to 10% of your IT costs on training your people. And it’s often much, much less.
And yet that’s a huge statistic up there. 90% of successful cyber-attacks were down to human error according to official statistics released by the Department for Digital, Culture, Media & Sport in 2020.
So how do we address that disparity? It has to be by investing in the right kind of training. Just telling your staff to use strong passwords, look out for dodgy links and check unexpected emails isn’t enough. And that’s because our brains are programmed to take the easy route every time, rather than take a step back, think, consider and act.
Practice makes perfect isn’t just a cliché we trot out; it’s how teaching and training really works
So, someone going through their emails in a rush before the 9am meeting will click on that link because that’s the mindset they are in. And there’s your cyber criminal’s way in.
Why introduce psychology to training?
Training – whether at work or for pleasure – is about learning to do something new or different. If we take up a musical instrument, we don’t learn by watching the teacher. We only learn by doing – again, and again, and again.
Practice makes perfect isn’t just a cliché we trot out; it’s how teaching and training really works. We learn the new thing; we get hints and tips on how to do the new thing and then we do it until our brains understand it and it becomes second nature.
And yet, in most corporate training, the opportunities to ‘do’ are limited, if available at all. When we look at various models of behavioural science, such as the COM-B model developed by the University College London’s Centre for Behaviour Change, we can see that the only way to change the way people behave is to get them to a place where new, good behaviours have taken the place of the less desirable, old behaviours.
What is the COM-B model?
The COM-B model proposes that there are three components to any behaviour (B): Capability (C), Opportunity (O) and Motivation (M). In order to perform a particular behaviour, an individual must feel they are both psychologically and physically able to do so (C), have the social and physical opportunity for the behaviour (O), and want or need to carry out the behaviour more than other competing behaviours (M).
As each of these components interact, interventions like training must target one or more of these in order to deliver and maintain effective behaviour change.
So, in my opinion, the best training creates a fun learning environment, where training can be done at the pace of each individual. It refers to actions and tasks that those people do every day, so that they can see the potential impact on their own tasks.
It gives them the motivation to want to do things better. And then it gives them plenty of opportunity to practice – to embed and reinforce the new actions and behaviours.
Seeing cyber security training as a ‘tick box exercise’ is potentially damaging to your business
The importance of behaviour in cyber security
This approach matters particularly in cyber security, because it’s our inherent laziness and practised habits of opening emails and clicking links that give the cyber criminals a way in. In fact, they focus on exploiting those weaknesses precisely because they know it works.
So, if our current behaviours are letting the criminals in, we need to find a way to change those behaviours to keep them out. For example, we’re all much better at keeping our home safe, making sure windows and doors are locked, checking who’s ringing the doorbell, who’s coming up the path. It’s just the same online – but we need to get into the habit of doing it.
Seeing cyber security training as a ‘tick box exercise’ is potentially damaging to your business. It’s one of the key areas where changing behaviours can actually save your business from financial and reputational ruin.
It seems to me that it makes sense to invest in better cyber security training, and to make sure that training has a long-lasting impact on behaviour. It effectively becomes part of your culture: new employees are introduced to it through their induction process, and it becomes embedded throughout your whole organisation.
Psybersafe is currently running in organisations of all sizes – from start-ups to multi-nationals. Online episodes and complete scalability make it easy to onboard and easy to run. And the psychology behind the design and delivery means that it gets measurable results. And that makes your business cyber-fit for purpose.
Mark Brown is the founder of Psybersafe online cyber training and a behavioural scientist.