Talk to an expert

Report an Incident

Why Continuous Education, Training and Awareness are Essential for Cyber Resilience

20 July, 2023

Could you imagine an airplane being flown by an untrained pilot? What if you were told that the pilot has never been trained in a simulated, realistic training environment? Thankfully many organizations have invested in training their staff using ‘real-world’ scenarios. In this blog, we explore why a similar training approach should be adopted for key roles in the cybersecurity field; from CISOs to SOC Managers, Incident Response Team Leaders, SOC Analysts and Penetration Testers. After all, the cybersecurity landscape is constantly changing in today’s digital society. Cybersecurity employees should therefore be fully vetted and highly trained to ensure that their organizations can focus on working towards their future goals while ensuring their business resilience.

Organizations may have layers of ‘top-notch’ cybersecurity technologies and well-written, great-looking processes. Unfortunately, they often do not invest enough in measuring and improving the human layer of the cybersecurity chain. The reality is that they mainly rely on the skills and past experiences of those hired. This highlights two key issues. First, the skills of onboarded cybersecurity professionals are rarely truly assessed, apart from interview conversations. If they are, the assessment is often based on highly subjective, outdated, and sometimes irrelevant assessment criteria.According to Career Builder research, for example, 74% of employers admit they’ve hired the wrong person for a position.

Furthermore, adequate cybersecurity training that truly prepares personnel and makes them cyber-ready is seldom deployed. For instance, the UAE Information Assurance Regulation requires the periodic identification of required cybersecurity skills (To-Be), assessment of the currently acquired ones (As-Is), identifying the gaps (As-Is vs. To-Be), and development of a comprehensive training implementation plan to address these gaps effectively.

Effective cybersecurity training, awareness, and education programs not only provide the required knowledge and skills but also reduce the rate of human errors. According to one IBM study, human error is the main cause of 95% of cyber security breaches. To put this into perspective, 19 out of 20 cyber incidents or breaches could have been avoided or better managed if the associated human error was eliminated or reduced.

According to the UK’s HSE, human errors may present themselves as skill-based errors (slips of action or lapses of memory) or mistakes (rule-based or knowledge-based). In the context we’re addressing, some root causes that create or influence human errors are the state of situational awareness, and the lack of required knowledge, skills and abilities.

However, there are contributing factors to human error that should also be considered, such as the behavioral and physiological traits of individuals (e.g. negligence, impulsivity, perception, misassumption, etc.) that could trigger human errors.

Organization-wide cybersecurity culture also plays an important role. For example, the seven C-CAT dimensions of cybersecurity culture as defined by Cybsafe are Trust, Justice & Fairness, Responsibility, Resources & Communication, Productive Security, Ease & Choice, and Community. Other contributing factors to the culture include the physical environment of a workplace, organizational policies (e.g. Work-from-Home, Bring Your Own Device, etc.), adopted practices around decision-making, multitasking expectations, etc.

Key Takeaways

Evaluating readiness to efficiently and effectively respond to cyberattacks requires several assessments and a variety of metrics across people, process, and technology capabilities. Organizations that aim to have assurance over their cyber readiness and resilience should consider investing in:

  • Periodic cybersecurity training needs analysis (TNA), including the assessment of individuals’ knowledge, skills, abilities and other characteristics (KSAOs)
  • Periodic cybersecurity awareness, behavior, and culture assessments
  • Comprehensive and engaging cybersecurity awareness programs to promote cybersecurity hygiene, positive behavior, and productive culture across the organization
  • Hyper-realistic training environments (e.g. cyber ranges), training labs, and other bespoke training solutions for fulfilling identified training needs

It’s true that humans are often the weakest link in an organization’s cybersecurity chain, but they can also be the strongest link if effective cybersecurity training and cultural improvement programs are in place.

Authors:Ibrahim El Abed,Sourav Guha Roy

References:

(1) Nearly Three in Four Employers Affected by a Bad Hire, According to a Recent CareerBuilder Survey:https://press.careerbuilder.com/2017-12-07-Nearly-Three-in-Four-Employers-Affected-by-a-Bad-Hire-According-to-a-Recent-CareerBuilder-Survey

(2) UAE Information Assurance Regulation v1.1 (March 2020), Controls M3.1.1 and M3.3.2.

(3) 95% of Successful Security Attacks are the Result of Human

Error:https://www.securitymagazine.com/articles/85601-of-successful-security-attacks-are-the-result-of-human-error

(4) UK HSE Leadership and Worker Involvement

Toolkit:https://www.hse.gov.uk/construction/lwit/assets/downloads/human-failure.pdf

(5) Meaningful Metrics for Human Cyber

Risk:https://www.scopeme.com/cybsafe/CYBSAFE-Meaningful+Metrics+whitepaper.pdf

Caption - Employees are often considered as the weakest link in the hashtag#cybersecurity chain. In this article, Ibrahim El Abed and Sourav Guha Roy cover some of the key elements of the human layer and also shed some light on the readiness to respond to cyberattacks from a human perspective. hashtag#cybersecuritytraining hashtag#cybersecurityawareness hashtag#CPX

Continue Reading

write

20 November, 2024

The Modern CISO Playbook: Top priorities for CISOs in 2025

Read now

30 August, 2024

Ask the Right Questions to Get Data Privacy Compliance Right

Read now

29 December, 2023

Navigating Cyberspace in 2024: A Sneak Peek into the Top Security...

Read now

14 December, 2023

Top systems integration challenges every organization must prepar...

Read now

29 August, 2023

Help ! My Facebook has been hacked

Read now

20 July, 2023

Security Product Research in the Lab: A fair chance to prove your...

Read now

20 July, 2023

The Cyber Security Conundrum: Balancing Ego and Expertise

Read now

20 July, 2023

The Internet Never Forgets

Read now

20 July, 2023

Top Cloud Security Risks and How to Address Them

Read now

02 May, 2023

A 5-Star Partner: Priming Your IT and Security Services for Success.

Read now

02 May, 2023

AI and Cybersecurity: A Tale of Innovation and Protection

Read now

02 May, 2023

How to Select a Secure Cloud Model, One Size Does Not Fit All

Read now

02 May, 2023

Making Sense of Public Ratings in Product Selection Process

Read now

02 May, 2023

Privacy Compliance: A Four-Step Approach

Read now

02 May, 2023

Securing Your Website – Gaining Online Customers’ Trust

Read now