In many companies, employees are required to undergo cybersecurity training to learn how to detect malicious emails and create a secure password.
In some cases, the training may take hours. So is it worth it? Experts say that employees should have some kind of training, but there is room for improvement.
“I think cyber security training is very important. But I think they need to be modern and they need to be tailored to the organization,” said Chester Wisniewski, global field technology officer at security firm Sophos. “Nowadays, it’s a check box for multiple audits and multiple certifications and multiple governments and laws depending on the state and country you live in.”
Because of this, Wisniewski thinks companies are doing the minimum.
“Employees are looking at funny characters for 15 minutes and at the end they’re taking questions about baiting,” he said. Phishing is the practice of sending phishing emails, text messages, or other forms of communication to get users to provide personal or sensitive financial information.
One common scam Wisniewski sees is the type of money transfer, where a scammer claiming to be your boss starts off with an email asking you to buy gift cards at the next company meeting. The scammer will ask you to send them the gift card numbers.
“If you’re an executive assistant, it might sound plausible. “The boss asks you to do a lot of crazy things. But when it seems strange, the training should teach you to go to that person and check.
Why cyber security trainings fall short
According to Joseph Nwanpa, executive director of the University of Miami’s Cybersecurity Initiative, phishing is a big part of cybersecurity training because it’s a major cybersecurity threat. And since the outbreak began, many workers working from home have become a major problem.
In ongoing research, Nwanpa and other researchers have found effective training to identify phishing attempts. They’re working with the University of Miami’s IT department, which is sending fake phishing emails to faculty and staff to see how quickly they click on a suspicious link.
“After three training workshops, employees develop cyber security training fatigue,” Nwankpa said. “In our experience, we have not seen significant improvement in repeat offenders. [who click on phishing attempts]Even when directed to online phishing training.
Nwanpa, an associate professor of information systems and analytics at the university, said the training was not enough to change behavior.
According to Nwanpa and Wisniewski, phishing emails have become more persuasive because of the rise of artificial intelligence generators like ChatGPT.
Grammatical errors and typos are the hallmarks of bad actors, and employees are taught to look for them. But AI tools can generate emails without those gaffes, Wisniewski explained.
Another outdated practice: teaching users to search for a company name in a link’s URL before clicking on it.
“The problem is that the real things we use no longer have predictable links,” Wisniewski said.
Cybersecurity threats are always evolving, Nwankpa said, making it difficult to do the right kind of training.
“It will be very challenging to have training programs targeted to perceived threats or threats,” Nwanpa said.
The cost of training
On average, companies spend $20 to $25 per employee on cybersecurity training, Nwankpa said.
But the more complex the training, the higher the price.
Wisniewski said there are companies taking the right steps to ensure cyber security. They are hiring experts who will spend two days with the company and then lead several in-person training sessions to understand the specific concerns they face.
Such instruction generally costs $10,000 to $20,000, Wisniewski said. Yes, it’s expensive, but Wisniewski says it’s 100 times more effective than a generic course.
“There’s a whole industry of consultants and people who provide these services at a very high quality,” he said.
Use your Spidey sense to protect sensitive information
To protect yourself, Wisniewski says you should respect your “Spidey instincts” and reach out to technical experts within your organization if something doesn’t seem right. If you handle other people’s personal information in your organization, you need to know what kind of information needs protection, he said.
“Of course, we all understand that Social Security numbers are sensitive and birthdays are sensitive. But there’s a lot of information that most people don’t know about that they can be sensitive in the wrong hands in their day-to-day work.
Wisniewski said cybersecurity education in the workplace places a lot of emphasis on creating strong passwords. But he prefers to teach his employees how to use password managers. These platforms help you create secure passwords for online accounts and store that information so you don’t have to remember it.
“At the moment, I’m afraid our training is focused on things that were 15 years ago, and a lot of companies are popping up and doing automated training to do some things cheaply, allowing people to tick a box that they’ve done. Some training for their staff,” he said. “They are not teaching them useful modern things. I can’t see a phishing link and I’ve been working in anti-spam and anti-fraud for over 25 years.
There’s one tactic companies can use to prevent cyberattacks without spending a lot of money: telling people about your experience.
“At Sophos, one of the things I’ve found most effective at no cost is sharing stories about attacks on our own organization,” he said. “People like listening to stories more than watching computer-based training.”
A lot is happening in the world. Through it all, Marketplace is here for you.
They rely on the marketplace to break down world events and tell you how they affect you in a fact-based and approachable way. We rely on your financial support to make this possible.
Your donation today supports the independent journalism you depend on. For $5 a month, you can help keep the marketplace running so we can report on things that matter to you.