The reason for this is simple. If you force something that is condescending, and boring, people are not going to commit it to memory. In most circles the content of these trainings is the subject of jokes making them even less effective for promoting good security practices. It is great for the vendors that provide these services and trainings, but other than checking off a checkbox for compliance you get little real-world benefit.
So what do you do? User account and endpoint compromise is one of the main methods for a security breach. We see phishing campaigns, watering hole attacks, drive by attacks and social engineering listed at the top of root causes just about every year. This is despite the current methods for security awareness training being employed. Clearly something is not working with that annual or quarterly cycle.
To combat this organizations should shift focus to building a security culture. Once security is ingrained as part of the culture it can be easier to maintain and have a more positive effect than mandatory cyclical training. This type of culture building starts at the top and does work its way down as we have talked about. If the people at the top are ignore good security practices, then so will others. No one likes to work somewhere that has a “do as I say, not as I do” message.
The culture building also must move people away from the thought process that a breach is inevitable. If you were to poll 100 people randomly on the street, you would find that the majority are not only unsurprised when a breach happens but expect to get a notification that their data has compromised at some point. This resignation makes way too many people lazy with security practices in their work and home lives. Building the proper security culture can not only protect your organization but may prompt changes in the way people think about security outside of work.
Another and very important part of building the right security culture is to present the work environment as a team. Develop the thought process that acts of one can affect everyone and ensure that people are allowed to have their voices heard. Building a team dynamic and rewarding the successes of both individuals, but also the team creates the framework for the proper culture for security.
Breaking down internal walls and silos of operation are also vital to this. Far too often InfoSec and IT are walled off and only called when something is wrong. Bringing them into daily operations meetings can help them to understand where and how they fit into the business flow and create a relationship with the people that they are fighting to protect. To the userland population it puts a face to the names and also humanizes them in a way so that they are not just seen as the bad guys (the data police).
Building a security culture is easier said than done, but it can be done with the right buy-in and effort. Once it is up and running it does take very little effort to maintain. You can still have those checkbox style trainings (if you really need them) to ensure you are complaint, just now you will actually have taken steps to improve the security of your organization and in turn improve the security of your clients as well.
Stay safe out there.
