Nudging Employees Into A Security-First Mindset

In the last year, we’ve seen rapid digital transformation and cloud migration, as well as an increase in remote and hybrid office environments. While these changes have introduced new, more efficient ways of working, they’ve also encouraged a global increase in sophisticated methods of cybercrime, such as ransomware and phishing. Cybercriminals thrive during periods of change, capitalizing on our uncertainty when using new technologies or experiencing a new environment.

Because of this, it’s crucial that organizations implement the necessary security to protect their data, infrastructure, and users. A lack of investment in cloud cybersecurity tools, such as MFA, email gateways and VPNs, leaves remote employees vulnerable to phishing, password cracking and malware attacks. However, technical protection alone isn’t enough to keep your business secure: you need to encourage your employees to adopt and maintain a “security-first” mindset. This is easier said than done—particularly if your users are sat at a kitchen table in sweatpants, rather than in a corporate office.

The best way to cultivate a culture of security is by teaching your users to be vigilant, to understand the threats and their impacts and then, ideally, preparing them to identify and respond to these threats. Security awareness training solutions are designed to help you do this and, in fact, 71% of organizations that suffered a data breach in the last year say that better user awareness training could have prevented the breach.

To find out more about how organizations can leverage employee training to create a culture of security, we spoke to Tim Ward, CEO and co-founder of ThinkCyber Security Ltd. With over 20 years of experience in the corporate IT and security world, Ward founded ThinkCyber with colleague Dr. Mike Butler out of a frustration that traditional employee awareness training solutions aren’t working, for two reasons. Firstly, the human element of training is often sacrificed in favor of technical security controls. Secondly, according to Ward, existing approaches to combatting this— such as eLearning platforms and phishing simulations, which deliver training at the point of failure—are ineffective.

The ThinkCyber Redflags™ platform, founded in 2016, takes a behavior-led approach to security awareness training. It uses tailored messaging and tiny snippets of content to help organizations tackle phishing, misdirected emails, web-based threats, and unsecure shadow IT.

Traditional Training Doesn’t Work

Since the term was first coined by Elliot Masie in 1999, eLearning has become an increasingly popular option for businesses looking for a more flexible way to train their employees. eLearning solutions enable users to access their training on the go, making it easier to train around their workday. However, according to Ward, traditional eLearning solutions aren’t well suited to this security awareness context. Part of the problem lies in the frequency and method of delivery.

“It doesn’t take much of a leap of the imagination to realize that being taught something once a year isn’t going to change behavior!” says Ward. “It’s only when you do things day in, day out, that you that you really remember them.”

“The changes driven by COVID and the rapid evolution of the workplace demonstrate that gone are the days when an annual awareness course will cut it. Instead, Security Awareness is increasingly about drip-feeding short snippets of information directly to users, with a content creation cycle of hours or days rather than weeks or months.”

“But even more frequent attempts to use eLearning fail. Part of the issue is that eLearning is designed for situations where people choose to learn; it’s a learning and development tool. We have a situation where we need people to learn.”

When we choose to learn something, we are much more likely to engage with the content and retain the information presented to us; it’s something we’re interested in. When we have to learn something, on the other hand, we often approach it with a mindset of being forced into something we don’t want to do, which reduces engagement and, subsequently, retention. This is an issue psychologists call “reactance”.

Because of this, formal learning delivery methods, which often involve the user watching a series of videos and answering questions on what they’ve watched, can seem like a chore. Reducing the amount of content delivered at once and “drip feeding” it regularly, rather than delivering it in blocks, can help maximize long-term retention and change behaviors over time.

When it comes to cybersecurity, phishing awareness training and simulation solutions are also becoming increasingly popular. These enable security teams to send fake phishing emails to their users to test their training: if the user clicks on a link or attachment in the email, they fail the test and are presented with supplementary training.

While phishing simulations can be a valuable method of training employees to spot the warning signs of a phishing email, they also have their drawbacks. Firstly, as was the case with the West Midlands Trains simulation incident earlier this year, they can cause employees to distrust their security teams. This increases the likelihood of users trying to cover up security incidents or mistakes, rather than reporting them, for fear of being punished.

There is also a question as to whether the point of failure is a good time to learn. Some research suggests our egos won’t allow us to absorb new information at this point in time.

More fundamentally, Ward says, phishing simulations teach users to look for the signs that an email might be malicious, but they can’t stop users from being tricked by real attacks. Genuine attackers use specific contextual information to lure their targets into clicking. They manipulate their victims and, because of this, even the savviest among us—those who know all the signs—can be caught out.

“If you interview someone after they’ve been caught in a phishing attack, they’ll tell you exactly what they should have spotted. It’s not that they don’t know—the issue is that they were tricked,” he explains. “We don’t think it’s completely an educational problem.”

Preventing Attacks Just In Time

The solution to this manipulation, says Ward, is to insert training at exactly the moment when a user may be tricked into clicking on a phishing URL or downloading a malicious attachment.

“We need to either block that automatic action and push the user into double checking what they’re doing, or we need to replace that habit that they’ve created with another habit by steering them towards a different behavior.”

The Redflags™ platform sends “nudges”—real-time interventions in the form of a short message— to users at the point of risk. The moment of delivery depends on the type of threat the user is facing. To protect against phishing, the nudge is delivered as the user hovers over a URL in an email from an unknown sender, or enters their corporate email in a non-standard web page. To prevent data loss via misdirected emails, the nudge might trigger when they upload a direct attachment, instead suggesting that they send a document via a corporate SharePoint link that requires a log-in.

“By providing the right guidance at the right time we can change the context to drive secure behaviors,” Ward explains.

To detect risky actions and deliver these nudges, the platform monitors each users’ on-device behaviors. This could present a privacy concern to some end users. However, the nudges are designed to be as subtle and non-intrusive as possible, Ward tells me.

“We’re there to help the user, not to catch them out. We’re not interested in the detail of the action, such as the name of the webpage you entered your email address into—we capture the response to the trigger event to try and knock you out of that automatic pilot.”

“Some of our clients also anonymize the platform, so they can only see what the event is and how often it’s occurring.”

In addition to nudges, Redflags™ delivers short cycles of key contextual content in the form of short paragraphs on notes that the user can click through. These little note pages sit in the user’s desktop background until they click on it, meaning even if they don’t take the time to immediately open the learning bite, they’ll be presented with the first piece of information every time they log into their desktop.

As well as increasing information retention, short content cycles also enable security awareness providers to roll out information on current threats much more quickly than traditional learning path delivery methods.

“When we see a new threat, we can push it straight onto people’s desktops in near real-time if required,” says Ward.

Tackling Unsecure Behaviors In An Ever-Changing Environment

The surge in remote working due to the Coronavirus pandemic saw security teams struggling to keep their users secure in the face of BYOD and unsecure home Wi-Fi networks. Though we’re seeing businesses around the world starting to open their offices again, 75% of organizations intend to make the transition to remote work permanent for at least some of their employees. This means that the challenge of securing remote or hybrid workers is not yet over, and we can expect to see continued attacks against targeting the vulnerabilities that remote work presents.

There are two main areas for concern here, says Ward, the first of which is a change to the threat landscape.

“New threats include insecure home Wi-Fi, device security with other people in the house, emailing personal accounts to print, being overheard out of the window and building up insecure habits like not locking screens. Threats target this situation, like Zoom, Teams and COVID-related phishing.”

The second area is the context within which we’re working. In a remote or hybrid environment, users aren’t given a constant reminder to work securely. “There are no posters, no corporate feel, no busy office that might remind you to lock your screen or find a private location for a call,” says Ward. In fact, instead of security reminders, remote and hybrid users are presented with more distractions to keep their minds off security.

“The idea of starting an eLearning module at that point, and the expectation that you’d remember any of it, is crazy.”

One way for organizations to tackle this challenge, says Ward, is by “drip feeding” short snippets of information directly to users. “Adapt quickly, minimize impact on staff, win the competition for attention, yet still pass on those key pieces of actionable advice.”

Secondly, security awareness should find a new way to be a part of the attack context. “Physical cues have gone, so we need to create virtual cues towards secure behavior—embedding security in people’s day-to-day use of IT.”

For maximum impact, adds Ward, these training “cues” should be cognizant of behavioral change theory; they should be easy, attractive, social and timely, following the Behavioral Insights Teams EAST model.

“We have to give the user an easy solution; in a phishing context, that could be ‘If you’re not sure, report it.’ It needs to be attractive in terms of motivating the user to do it by helping them to understand the threat, but also in terms of making the content visually attractive, so it’s something they want to look at. In terms of social—we’re all social animals. Highlight the impact it could have on their colleagues if they don’t do it. And as for timely, we need to help people when they actually need it.”

Creating A Culture Of Security Starts At The Top

Fundamentally, says Ward, all organizations need to build an understanding of risk into their security cultures, and the need to assess risk. This means ensuring that people are thinking about security every day, not as a distraction from their job, but as an approach to it; they should have a security-first mindset.

“You want your people to always be thinking about risk, because something brand new could happen that we never thought to educate people on,” he tells me. “For example, we’d never have told people to watch out that their neighbors might overhear a work conversation out of a window when we are all working at home, and businesses wouldn’t have included that in their security awareness training. But risk-aware people will realize and shut that window themselves.”

Awareness training has been proven to be an effective way of creating a security-first mindset and decrease the risk of cyberattack. However, not all solutions provide the same level of effectiveness. Ward suggests narrative-based content as one of the best methods of engaging users and helping them to retain their knowledge.

“Use personally relevant and topical content, and stories about real breaches. The narrative gets people interested, as does the potential impact on them personally. But it needs to be short and sweet!”

It’s also often not enough to just roll out mandatory training: change must happen from the top down.

“You need to get the senior people in the organization talking about it; even being honest if they’ve fallen for an attack,” says Ward. “Then, in your content, you can use that social proof to say that it happens to all of us, and get them to back what you’re trying to do.”

As well as company executives, the security team plays a huge part in the success of an awareness training program and in creating a positive security culture that encourages reporting.

“People need to be encouraged to talk to and report things to the security team,” Ward says. “If you’ve created a security team that’s always telling people off, tricking them with phishing tests, or punishing them with training, you’re not building a positive security culture.”

“Instead, you want to show people you’re there to help them. You want to be in a position where, if someone clicks on something, they don’t think, ‘Oh my God, how can I cover this up?’—they say, ‘I’ve clicked on something, and I need your help.’”

Thank you to Tim Ward for taking part in this interview. You can find out more about ThinkCyber and their security awareness solution at their website and via their LinkedIn profile and Tim’s LinkedIn profile.