Benjamin Rowe MBCS CITP asks whether cyber security awareness training should prepare us for when something does go wrong — not just how to prevent problems from happening.
For some time now I have been pondering the way cyber security training is delivered. Each time I am requested to undertake training, I go through the motions and am left feeling underwhelmed and just see a tick box completed. It is a chore that must be completed to become compliant; I have watched the videos, I have clicked on the answers (which are all too often obvious) and then taken the token test at the end to show I’ve been awake during the last 45 minutes.
I now know what not to click on, what not to reply to and what something suspicious could look like, and I go back to my working day. But how much did I take in? What did it teach me exactly, and has my behaviour changed over the years because of it?
Rethinking cyber security training
The trouble with conventional cyber security training is that it only goes so far. It’s great to tell our teams how not to do things, but what happens when something does go wrong? They are not prepared because traditional cyber security training only teaches prevention, not reaction. We need to give our users the mindset and tools to deal with disaster.
Additionally, we need to help people understand that cyber attacks can follow them from their personal life to their work life and vice versa — cyber security training should encourage people to be vigilant in all aspects of their life, not just the workplace. With the help of a personal response plan, people can think about what they would do, how they would react and who they would call before an incident should occur.
When a user does accidentally click on something, download a file or open an attachment, they should know:
- What are the signs they should be looking for?
- What is their first notification of a problem?
- How should they react?
- What should they take note of?
- Who do they call?
- How do they handle their technology from this point forward?
- What level of alarm do they raise?
These are all questions I have seen first hand when speaking with users after an incident has occurred. They had been prepared for what not to do to prevent a problem, but not for what to do other than ‘call IT’ once a problem occurred. And in these situations, minutes matter.
Though response teams are prepared for a call, it takes time to understand an issue and its seriousness, to get answers from the user, and to get physical hands on the device — all of which is time wasted in stopping the spread and minimising the impact.
Training teams in cyber attack response
We need to change the mindset that our teams are not capable. This is where response planning comes into play. We need to be teaching response like a fire drill: we do not teach people not to start fires, but what to do when one breaks out. We rehearse it. We drill it. Everyone knows their role and where to go.
In the same way we have first aid responders, fire marshals and health and safety champions within our workforce, we should be training ‘cyber first responders’ — people that are not part of the IT team but have a higher level of training on the systems in their area of expertise and what to do when something happens. They should understand how to react, what data to collect from the users, what to do with the technology, and most importantly engage with a calm head and reassure the user that this was not their fault. Cyber criminals deliberately exploit human behaviour and are using increasingly sophisticated techniques. People must feel safe to flag an issue when they think something is wrong, and not fear getting in trouble.
Quick response reduces incident impact
The cyber first responders can be the cool head in the room and react accordingly, gathering vital information for the IT and response teams and saving those crucial minutes and hours.
For you
Be part of something bigger, join BCS, The Chartered Institute for IT.
In a ransomware scenario, preserving the affected machine’s state can be critical for digital forensics and incident response (DFIR), especially when tracing lateral movement or identifying payloads. Their role isn’t to fix the problem, but to stabilise the situation by limiting further damage, avoiding accidental data loss and supporting faster, more effective investigation by the response team.
Considerable thought should also be given to IT and response team availability, especially if the government proceeds with its proposed ‘right to switch off’ policy.
Cyber attacks and the criminals behind them rarely care about your company, your people or even your data. Their goal is simple: disruption and profit. As attacks become more prevalent, there is a growing concern that they are no longer be a matter of ‘if’ but ‘when’.
This is a sweeping statement, yes, but the reality is we are seeing companies big and small across the spectrum falling foul of these criminals. Making sure our teams are aware it’s not their fault, and know what to do, how to report, how to react is critical for both organisational resilience and our teams’ wellbeing.
To support this shift, I’ve created a set of free tools, personal response plans, business response plans, and a cyber first responder plan — all available to download at BDRoweConsulting.com.
Take it further
Interested in this topic? Explore BCS' courses and books:
- BCS Foundation Certificate in Information Security Management Principles
- BCS Foundation Certificate in Data Protection
- Cyber Security: The complete guide to cyber threats and protection
- Security Architecture: A practical guide to designing proactive and resilient cyber protection
- Cyber Security and Business Analysis: An essential guide to secure and robust systems
