Security awareness training should 'change how people think'

Security awareness training must be high on the agenda of best practice when companies fight off cyber threats, experts concluded at the SC Congress London.

Security awareness training should 'change how people think'
Security awareness training should 'change how people think'

Such training schemes have been a big topic of conversation in recent months, but many in the information security world are still unsure how it is best employed. Is it, as BH Consulting founder Brian Honan suggested to this writer on Twitter, from board level or better placed from the bottom-up, feeding through the roots of the company?

A panel of speakers voted in favour of bottom-up security training awareness at the SC Congress London on Tuesday, and argued that it is one of many best practises that should be employed to safe-guard companies against possible data breaches.

Derrick Bates, trust information security officer at North Cumbria University Hospitals NHS Trust, said that his own training has resulted in staff becoming a lot savvier on the threat from the outside.

“The one big thing you have to do is educate your users, because if you do, you have an extra 3,000 people on your security team. They now come to me to tell me about phishing emails, or people pretending to be from IT team or recruiters. My users challenge them.”

“My education awareness programme and newsletters take a lot of time but it pays dividends.”

Bates added that businesses need to ask six questions on ‘Who, what, where, when, how and why' on IT infrastructure and incoming threats to have “95 percent [of the information] to take upstairs to the C-level corridor.”

Sarah Stephens, head, cyber & commercial E&O for Aon EMEA, agreed that awareness training should underpin protecting assets and said that the security messages need to get back to end users. “Bringing [security] back to the individual works well for IT security professionals."

Bates added that his awareness programmes were focused on ‘ordinary folk' but insisted that these must not teach or preach, because workers have enough on their plate already.

“The whole thing with security awareness training is not to teach…they have too much [on]. What I am trying to do is to change the way they think and perceive what's around them. That's how you get in the C-level corridor, you don't go at them and convince them they're doing something wrong.”