Security Awareness Training (SAT) just isn’t working: for companies, for employees, for anybody.
The average human makes 35,000 decisions every single day. On a weekday, the majority of these decisions are those made at work; decisions around things like data sharing, clicking a link in an email, entering our password credentials into a website. Employees have so much power at their fingertips, and if any one of these 35,000 decisions is, in fact a bad decision — like somebody breaking the rules, making a mistake or being tricked —it can lead to serious security incidents for a business.
The way we tackle this today? With SAT.
By 2022, 60% of large organizations will have comprehensive SAT programs (source: Gartner Magic Quadrant for SAT 2019), with global spending on security awareness training for employees predicted to reach $10 billion by 2027.
While this adoption and market size seems impressive, SAT in its current form is fundamentally broken and needs a rethink. Fast.
As Tessian’s customer Mark Lodgson put it, “there are three fundamental problems with any awareness campaign. First, it’s often irrelevant to the user. The second, that training is often boring. The third, it takes a big chunk of money out of the business.”
“We knock out CBT (computer-based training) for 20 minutes, put a test at the end of it, and we expect ‘Johnny’ to be grateful for having spent that time in the training and to have been thoroughly entertained. ... You’re asking people to take 30 minutes times 30,000 people globally. That’s a big number, and in my case, I have to do around 12 modules a year.”
The 3 big problems with security awareness training
There are three fundamental problems with SAT today:
SAT is a tick-box exercise
SAT is seen as a “quick win” when it comes to security – a box ticking item that companies can do in order to tell their shareholders, regulators and customers that they’re taking security seriously. Often the evidence of these initiatives being conducted is much more important than the effectiveness of them.
Too many SAT programs are delivered once or twice a year in lengthy sessions. This makes it really hard for employees to remember the training they were given (when they completed it five months ago), and the sessions themselves have to cram in too much content to be memorable.
SAT is one-size-fits-all and boring
We give the same training content to everyone, regardless of their seniority, tenure, location, department etc. This is a mistake. Every employee has different security characteristics (strengths, weaknesses, access to data and systems) so why do we insist on giving the same material to everybody to focus on?
Also, however we dress it up, SAT just isn’t engaging. The training sessions are too long, videos are cringeworthy and the experience is delivered through clunky interfaces reminiscent of CD-Rom multimedia from the 90s. What’s more, after just one day people forget more than 70% of what was taught in training, while 1 in 5 employees don’t even show up for SAT sessions. (More on the pros and cons of phishing awareness training here.)
SAT is expensive
So often companies only look at the license cost of a SAT program to determine costs—this is a grave mistake. SAT is one of the most expensive parts of an organization’s security program, because the total cost of ownership includes not just the license costs, but also the total cost of all employee time spent going through it, not to mention the opportunity cost of them doing something else with that time.
“People forget more than 70% of what was taught in training after one day.”
Enter, security awareness training 2.0
So, should we ditch our SAT initiative altogether? Absolutely not! People are now the gatekeepers to the most sensitive systems and data in the enterprise and providing security awareness and training to them is a crucial pillar of any cybersecurity initiative. It is, however, time for a new approach. Enter SAT 2.0.
SAT 2.0 is automated, in-the-moment and continuous
Rather than having SAT once or twice per year scheduled in hour long blocks, SAT should be continuously delivered through nudges that provide in-the-moment feedback to employees about suspicious activity or risky behavior, and help them improve their security behavior over time. For example, our SAT programs should be able to detect when an employee is about to send all of your customer data to their personal email account, stop the email from being sent, and educate the employee in-the-moment about why this isn’t OK.
SAT also shouldn’t have to rely on security teams to disseminate to employees. It should be as automated as possible, presenting itself when needed most and adapting automatically to the specific needs of the employee in the moment. Automated security makes people better at their jobs.
SAT 2.0 is engaging, memorable and specific to each employee
Because each employee has different security strengths and vulnerabilities, we need to make sure that SAT is specifically tailored to suit their needs. For example, employees who work in the finance team might need extra support with BEC awareness, and people in the sales team might need extra support with preventing accidental data loss. Tailoring SAT means employees can spend their limited time learning the things that are most likely to drive impact for them and their organization.
SAT should put the real life threats that employees face into context. Today SAT platforms rely on simulating phishing threats by using pre-defined templates of common threats. This is a fair approach for generic phishing awareness (e.g. beware the fake O365 password login page), but it’s ineffective at driving awareness and preparing employees for the highly targeted phishing threats they’re increasingly likely to see today (e.g. an email impersonating their CFO with a spoofed domain).
“You can’t take a 'big bang' approach to data privacy awareness training. To really see employees empowered, you have to constantly reinforce training.”
SAT 2.0 delivers real ROI
SAT 2.0 can actually save your company money, by preventing the incidents of human error that result in serious data breaches. What’s more, SAT platforms are rich in data and insights, which can be used in other security systems and tools. We can use this information as an input to other systems and tools and the SAT platform itself to provide adaptive protection for employees. For example, if my SAT platform tells me that an employee has a 50% higher propensity to click malicious links in phishing emails, I can use that data as input to my email security products to, by default, strip links from emails they receive, actively stopping the threat from happening.
It’s also crucial to expand the scope of SAT beyond just phishing emails. We need to educate our employees about all of the other risks they face when controlling digital systems and data. Things like misdirected emails and attachments, sensitive data being shared with personal or unauthorized accounts, data protection and PII etc.
A recent study explains why fear appeals don’t work in cybersecurity.
SAT 2.0 is win-win for your business and your employees
The shift to SAT 2.0 is win-win for both the enterprise and employees.
Lower costs and real ROI for the business
Today SAT Is one of the most expensive parts of an enterprise’s security program, but it doesn’t have to be this way. By delivering smaller nuggets of educational nudges to employees when it’s needed most it means no more wasted business hours. Not only this, but by being able to detect risky behavior in the moment, SAT 2.0 can meaningfully help reduce data breaches and deliver real ROI to security teams. Imagine being able to report the board that your SAT 2.0 program has actually saved your company money instead.
SAT 2.0 builds employees’ confidence
In a recent study about why fear appeals don’t work in cybersecurity, it was revealed that the most important thing for driving behavior change for your employees is to help them build self-efficacy: a belief in themselves that they are equipped with the awareness of threats and the knowledge of what to do if something goes wrong. This not only hones their security reflexes, but also increases their overall satisfaction with work, as they get to spend less time in boring training sessions and feel more empowered to do their job securely.
3 easy steps to SAT 2.0
A training program that stops threats – not business or employee productivity – might sound like a pipe dream, but it doesn’t have to be. SAT 2.0 is as easy as 1,2,3…
Step 1: Leverage your SAT data to build a Human Risk Score
Your SAT platform likely holds rich data and information about your employees and their security awareness that you’re not currently leveraging. Start by using the output of your SAT platform (e.g. test results, completion times, confidence scores, phishing simulation click through rates) to manually build a Human Risk Score for each employee. This provides you with a baseline understanding of who your riskiest and safest employees are, and offers insight into their specific security strengths and weaknesses. You can also add to this score with external data sources from things like your data breach register or data from other security tools you use.
Step 2: Tailor your SAT program to suit the needs of departments or employees
Using the Human Risk Scores you’ve calculated, you can then start to tailor your SAT program to the needs of employees or particular departments. If you know your Finance team faces a greater threat from phishing and produces higher click through rates on simulations, you might want to double down on your phishing simulation training. If you know your Sales team has problems with sending customer data to the wrong place, you may want to focus training there. Your employees have a finite attention span, make sure you’re capturing their attention on the most critical things as part of your SAT program.
Step 3: Connect your SAT platform to your other security infrastructure
Use the data and insights from your SAT platform and your Human Risk Scores to serve as input for the other security infrastructure you use. You might choose to have tighter DLP controls set for employees with a high Human Risk Score or stricter inbound email security controls for people who have a higher failure rate on phishing simulations.
Want an even easier path to SAT 2.0?
Tessian can help you automatically achieve all of this and transition your organization into the brave new world of SAT 2.0. Using stateful machine learning, Tessian builds an understanding of historical employee security behavior, to automatically map Human Risk Scores, remediate security threats caused by people, and nudge employees toward better security behavior through in-the-moment notifications and alerts.
SAT is not “just a people problem”
We so often hear in the security community that “the focus is too much on technology when it needs to be on people”. I disagree. We need to ask more of technology to deliver more impact with SAT.
SAT 1.0 is reminiscent of a time when to legally drive a car all you had to do was pass a driving test. You’d been trained! The box had been checked! And then all you had to do was make sure you did the right thing 100% of the time and you’d be fine.
But that isn’t what happened.
People inevitably made mistakes, and it cost them their lives. Today, I still have to pass my driving test to get behind the wheel of a car.But now our cars are loaded with assistive technology to keep us safe doing the most dangerous thing we do in our daily lives. Seatbelts, anti-lock brakes, airbags, notifications that tell me when I’m driving too fast, when I lose grip or when I’m about to run out of fuel.
However hard we try, however good the training, you can never train away the risk of human error. Car companies realized this over 60 years ago—we need to leverage technology to protect people in the moment when they need it the most.
This is the same shift we need to drive (excuse the pun) in SAT.
One day, we’ll have self driving cars, with no driving tests. Maybe we’ll have self driving cybersecurity with no need for SAT. But until then, give your employees the airbags, the seatbelt and the anti-lock brakes, not just the driving test and the “good luck”.