This article was originally published on the TripWire blog.
The annual RSA Conference is a lot of things to a lot of people (43,000 this year!). For me, it’s become an annual opportunity to step out of the stream and to look back at what has happened in the last year and peer forward at what’s to come.
This year, I think we have reached an inflection point around the way we as a profession treat the “human element,” as RSA calls its track of sessions dealing specifically with human interaction with cybersecurity. For the “human element” crowd, of which I am a part, this is the year one battle was won: everyone accepted the importance of equipping employees to protect information.
But I think when we look back, it will also be the year when we see the emergence of a new era of awareness programs, as the first wave of efforts to address the human element becomes old school and the more progressive organizations (who are growing weary of the old ways of educating employees) start to develop and deploy holistic ways to ensure their employees are following security best practices.
Argument Won: Humans Matter
If you’ve paid any attention at all to the data coming out in the last year, you can’t deny the importance of the human element.
Start with the poster child for the way employees expose organizations to cybercrime: phishing. The venerable Verizon Enterprises Data Breach Investigation Report found that 30 percent of phishing emails were opened in 2015; up from 24 percent the year before. But falling for scam emails is just one of the dangers posed by employees lacking security awareness.
A 2016 CompTIA report titled International Trends in Cybersecurity found that human error accounts for more than 50 percent of security breaches. My company surveyed more than 1,000 employees across the United States and found that 88 percent lack the awareness to stop preventable cyber incidents.
If you’re reading this, many of these statistics likely come as no surprise to you. Fortunately, cybercriminals’ increasing focus on the human has also meant an increased focus on training these humans to combat these threats. Industry analysts at Gartner tracked a 55 percent growth in the security awareness training market from 2014 to 2015 and projected a 2016 market size of $240 million.
Anecdotal evidence from RSA confirms the industry embrace of awareness programs as the means to address human vulnerabilities. The “Human Element” sessions were uniformly well attended, and I noted a distinct lack of snarky comments from those who once doubted that you could ever enlist employees in defense of data.
So, everyone accepts that responsible organizations must do something to address the human element and the status quo for how is a combination of online training and phishing. (Whether phishing is training is another argument altogether!) Heck, we even have New York’s new cybersecurity regulation requiring that all financial services companies institute cybersecurity training.
Can anyone doubt that additional state and even federal regulation is far behind?
The Next Wave of Awareness
If you accept my proposition, this means that everyone is now (or will soon be) doing the basics when it comes to cybersecurity awareness. And the basics will thus become boring to innovators and first movers. After a week of talking to my colleagues at RSA, I’m convinced that there is a movement afoot to shake up the way we approach employee education.
Whether it’s the folks running awareness programs at big companies or new vendors who are introducing innovative new ideas, I think we are starting to see the next wave of awareness—what my colleague Jason Hoenich at Hashtag Awareness calls “Awareness 2.0.” Here are some glimmers of what that model might look like.
A customer of ours from a large American telecom told me how thrilled she was with the reaction to the new, “gamified” training she had introduced this year, which uses animated scenarios to illustrate the common cybersecurity decisions you make on a day-to-day basis).
“People loved the training,” she said. “I got all kinds of positive reaction, but my favorite was one guy who said this was the first training that didn’t make him want to stab himself in the eye.” Now that’s a standard to aspire to!
Another colleague at a global financial services company has been experimenting with regular deployment of light-hearted videos that call out the risks people face. These play on the TV screens that sit in lobbies and outside elevator banks, and the reaction has been really positive. (His all-voluntary awareness program gets nearly 90 percent participation. Yes, 90 percent. I’ve had people running required programs that get only 95% percent participation.)
Short and Fun Security Awareness
The market tells us that the focus on short and fun is working: this year alone, we’ve seen multiple new content providers in the cybersecurity space using short-form videos to communicate about cybersecurity risk. (Hashtag Awareness and Ninjio are two of my favorites, but there are many more.)
To this combination of engaging training and frequent reinforcement (in the form of videos and posters and games), many other awareness pros have started to wield the now ubiquitous phishing simulation tools with real dexterity. No longer using phishing tools to demonstrate declining (and too often engineered) click-through rates, creative phishing administrators build complex lures and then use engaging communications around those phishing campaigns to destigmatize taking the bait and turn employees into true skeptics of shady communication practices.
If phishing simulations are one way of providing “just-in-time” education, we’re still waiting to see training integrated into UEBA and DLP tools in a way that consistently gets the right content to the right people at the right moment … but we’ll get there soon.
What the leading companies are recognizing is that it’s okay to make cybersecurity awareness fun—in fact, by making it fun you make it memorable, and thus far more likely to bring about the kind of sustained behavior change that is needed. For every company that has dared to make their cybersecurity awareness program interesting, there are five more wishing they could take the plunge. I can’t tell you how many people have said, “I wish we could make our program fun, but my <fill in the blank: CISO, culture, budget, fear> won’t allow it.”
But that time will come, and I think it will come soon. We’ll see more of the imaginative programs—the ones that are run like advertising or public relations campaigns—demonstrate results, and we’ll see more and more people get bored with doing it the same old way.
The truth is, now that we’ve accepted that humans are one of the most critical elements in being secure, we’ll accept that training or phishing alone is no longer enough. And we’ll all start the work of creating compelling, year-round learning programs that really target employee behavior change. That movement to the next wave of awareness is already under way.