Putting employees into the mind of a cyber attacker is the most effective way of reducing the risk of falling victim.
That’s the view of Nick Wilding, general manager of cyber resilience at AXELOS, who says dull, annual ‘tick-box’ cyber security training are ineffective in changing behaviours.
AXELOS, created in 2013, is a joint venture between the Cabinet Office and Capita, who own and nurture global best practice frameworks like ITIL, Prince2 and RESILIA, the latter of which Wilding leads.
Wilding says the RESILIA Frontline programme includes a phishing game which puts staff into the shoes of an attacker to better understand the techniques to help them identify potential risks.
He explains: “You’re given access to multiple emails and you can try and steal money and sensitive information. You’re told throughout the game why a particular attack has failed or succeeded, meaning you get better at identifying the tell-tell signs of an attack.”
The cyber security expert says too much of the training he’s seen is “boring, too long and too technical”.
In particular he says that the language used to educate all staff is often critical. “We need to give our staff the simple, practical guidance we all need to make more vigilant and resilient decisions…at home and at work!
“Businesses need to realise that if they aren’t serious about their cybersecurity they will be attacked, and it will be very likely that the reason they are compromised is due to human error.
“Organisations are thinking about this now because they know that their people are their greatest defence but also their greatest vulnerability.”
Wilding believes that organisations need to balance the “stick with the carrot” as all too often bad behaviours are punished but good behaviours go unrecognised.
“At the moment, we are missing a massive opportunity by talking cyber threats with technical and jargon-filled language,” he says. “It simply doesn’t work with the majority of people.”
A feature of the RESILIA Frontline training is providing engaging training through short nugget sized learning via elearning and tests, animations, simulations, audio stories and games.
“If you tried to keep people up to date with each and every scam, you’d be telling them something new every day,” he explains.
“Instead, we go into the nature of phishing and scams, the tell-tale signs and how to develop a gut feeling, which counts for a lot.”
Whilst Wilding says that phishing can be understood in just 15 minutes by anyone willing to learn, he highlights the need for extra care to tackle ‘whaling’ and ‘spear-phishing’ attacks which are more targeted and sophisticated attacks often targeting senior executives.
“It’s more difficult to train the whales,” he explains. “You’ve got less time with these people because they are extremely busy, and they think they are more immune than anybody else. That actually makes them more vulnerable.“
RESILIA, a suite of tool from AXELOS, is designed to help orgaisations achieve global best practice in cyber security.
It has released a CEO cyber thriller series called ‘Whaling for Beginners’.
“We need a societal response to cyber security, and I’m not just talking about government,” says Wilding.
“We need to talk about this much more openly, and one way in which we can do that more effectively is through the language that we use.”