Many IT managers in companies rely on security awareness training to make employees pay attention to IT security. The measure has as many advocates as it has critics that oppose it. The latter can’t see the point of or has doubts about the effectiveness of such training activities.

The question today is not if, but when, a company will once again become the target of a cyber attack. IT managers struggle with countless attacks on a daily basis. Analysts at G DATA CyberDefense counted more than 4.9 million new malware programs in 2019 – an average of nine new samples every minute. This shows that, sadly, online fraud and cyber attacks are an everyday occurrence in many companies. It is therefore hardly surprising that the latest Allianz Risk Barometer shows that German companies see security incidents in the IT sector as the second most important business risk. In the global ranking, this threat actually ranks first. The problem is that technical measures such as a security solution or a firewall do not provide one hundred percent protection. That’s why many IT and human resources managers rely on involving employees in cyber defence and train them in every aspect of IT security.

Creating another layer of protection through employees not only sounds like a good idea – it works. When compiling the G DATA SMB Report in 2019, we surveyed 200 medium-sized businesses from Germany on this subject. The result was that more than eight out of ten IT managers believe that employees can trigger a cyber attack. Many administrators rely on training and education – in short, on creating security awareness.

So does’t this mean that awareness training courses work?

Critics such as Bruce Schneier, an American expert in cryptography and computer security, question the effectiveness of security training for company employees. Schneier calls them a waste of time and money. In his opinion, companies should spend their budget on the development of secure software and interfaces instead. Schneier also argues that it is difficult to get people to change their behaviour and cites an example from the health sector: most people are aware of the importance of a healthy diet and exercise.  But that doesn’t stop them from sitting on the sofa and eating fast food. 

This way of thinking means that companies find it hard to get their employees to change their habits to improve IT security. Of course, each of us knows that it is difficult to change regular patterns of behaviour – especially when it comes to daily activities or processes. But this doesn’t mean that it’s impossible.
 

Security awareness is a process

Schneier seems to be making a crucial mistake. He doesn’t see security awareness as a process, but it is. Of course, IT security is not a pipe dream that will come true overnight. If you want to increase security awareness in your company, you have to set out with the goal of establishing prudent, secure use of IT resources. This is not an easy thing to do, but employees must be made aware of the cyber threats they may come across in their professional and private lives and learn how to deal with them. It is possible to manage this process.

However, there is one major hurdle to get over – IT security is a very complex and abstract subject. For example, many employees cannot visualise what malware is and how a cyber attack works – because it does not yield any visual clues that a user can identify. More often than not, the only visible indication is the end result of an attack. One example being a lock screen with a ransom demand – which only manifests after a successful ransomware attack. The malicious code itself and the processes behind it remain hidden. Unlike bacteria, for example – they are not visible under a microscope in a laboratory, even to an IT amateur.

The route to more security awareness

So how do IT managers ensure that caretakers, accountants and every other employee are receptive to the subject of IT security? Companies should rely on security awareness training that – without preaching – conveys the necessary knowledge in a practical and, above all, understandable manner. Employees should not get the impression that they are the weakest link in the chain of cyber defence, as sociologist Jessica Barker says. She gave a keynote speech at DeepSec 2017 in Vienna. One of the things she called for was more positive and encouraging discussion of IT security, because users should not be given the impression of being confronted with unsolvable problems.

IT managers must win employees over to the issue by giving them the feeling that they are actively involved in cyber defence. Employees must also understand why IT security is essential for medium-sized companies. Successful attacks, for example, can lead to economic problems and even to the financial ruin of a medium-sized company. In the worst case, the workplace might also be threatened. Once employees have gained a basic understanding of the need, they are ready for training steps that are tailored to their needs.
 

How security awareness works

First of all, IT managers need to determine the current state of security knowledge. Many security awareness training courses start with a test to determine the current level of knowledge. This should not aim to pillory employees. It is about identifying the biggest knowledge gaps and planning a practical series of training units. Many training programmes are designed to last an extended period of time, for example two years. Employees are then required to complete the individual training sessions as planned. The separate training modules offered by many providers, such as G DATA CyberDefense, conclude with a short learning status check. This enables revision of the content of the training session, so employees can check whether they have understood the subject matter. The unit can then be repeated if necessary. Learners can also apply the acquired knowledge directly – through a sample phishing email, for example.

Frequent repetition consolidates knowledge among the employees. The units should be designed in such a way that they can be easily integrated into everyday work. E-learning courses are particularly suitable for this purpose. The training sessions can often be completed at any time. Time-consuming face-to-face training sessions demotivate employees and massively impinge on their work arrangements. E-learning based training is often short in length and uses the latest learning methods. For example, videos are used in the units instead of long texts, making the content easier to absorb.

Combinations involving a gamification approach can provide an additional boost to motivation. Particularly diligent IT security students can be rewarded with small gifts. On the other hand, employees who learn more slowly should not be made to feel disheartened. They too can be further motivated by gamification. However, it is not just the company that benefits from the knowledge imparted. The employees can also easily transfer this knowledge to their private use of computers and smartphones, for example, by choosing secure passwords and, in the case of online user accounts, looking out for two-factor authentication when logging on.
 

Security awareness pays off

Critics point out that security awareness is hard to measure and that so-called ROSI – Return On Security Investment – cannot be achieved. In some training programmes, such as G DATA Security Awareness Training, employees’ level of knowledge can be measured. IT managers can see which individual has completed which learning units, and this provides measurability. However, the investment has clearly paid for itself just as soon as an employee prevents even one attack through their cautious behaviour. The high costs of system downtime and the time-consuming cleaning-up are then eliminated. In addition, companies can also ensure that their employees are complying with the EU Data Protection Regulation and thus avoid expensive fines.

Conclusion: Security awareness – there is no alternative

Bruce Schneier and the other critics are wrong to doubt the effectiveness of training. However, it is true that achieving better IT security is not a clean-cut and easy task. If IT managers pay attention to potential stumbling blocks, security awareness will become established in the company and provide real added value for IT security. Cautious employees can nip a cyber attack in the bud before IT systems are put to the test. This makes IT systems significantly more secure, and all critical data is better protected. Companies that do not involve their employees in IT security are missing a great opportunity and exposing themselves to unnecessarily high cyber risks.