Cyber Security Awareness Training
The Power of Context
01 June 2021
We've all been there. That email that crops up at least once a year: "It's that time again, folks! Time for you to undertake your annual staff cybersecurity awareness training!" Then begins the sighs, the groans, the "why do we have to do this?" questions.
I've found myself in this situation many times before. It wasn't that I was deferring responsibility; I was very aware that I had a lot of power sitting behind my computer as a gateway into the company. It was more the fact that the way in which my company had chosen to engage me on this incredibly important and valuable topic was just so…tedious.
When I was asked to deliver Staff Security Awareness Training Courses at Intertek NTA, my initial reaction was fear. "This is a dry subject," I told myself. "This is boring – why would anyone want to listen to this?" But then I stopped and asked myself how I would want the topics to be presented to me if I were in the audience. And thus, I decided to frame these topics in the form of stories. This anecdotal approach was intended to engage the audience across a wide variety of topics, including things like social media, Internet/email usage, working from home etc.
Sure, I'd still need to talk about what makes a strong password – the type of guidance that a lot of employees would have heard countless times – but I chose to frame it in a memorable way. I chose to tell a story of an internal pen test that we conducted for a customer where we cracked their domain admin password. Being a high-risk issue, this was flagged and changed immediately by the customer. They changed it alright: by changing a single character at the end of the password.
I'd also need to talk about phishing campaigns – again, something that many cybersecurity training courses cover in a very bland and unengaging way. I chose to tell a story of how we hacked an organisation by mimicking their HR management portal and sent out a phishing email to staff in an attempt to get them to log into our portal, and thus capture login credentials.
Some staff would roll their eyes or push back: "That's unfair – how would you know what our management portal looks like? You'd only know that if you were already inside the network" At that point I was able to highlight that we'd provisioned network access because another staff member had foolishly signed up for something personal using their work credentials, and these details had been leaked onto the web. With a bit of credential stuffing, it wasn't hard for us to also get into their emails if they were using the same password, which of course they were.
Immediately, we have something memorable. We have something that resonates with the average user, someone who may quite likely be using the same password on many systems, or regularly changes their password by only changing a single character. We have something humorous that a staff member might take home and tell their partner or their children.
Context is all that was needed. Suddenly, the average user is able to see the consequences of their actions, without the fallout of it happening to them. As human beings, this is how we empathise. And without realising it, this is more than staff security awareness training – this is real behavioural change.