Improving attention and retention rates may have shown that humour is a better training tool than fear, but a security-training pioneer believes the two will come together productively as cyber insurers crack down on training and impending ‘Phishing 2.0’ features allow CISOs to engage with employees the second they click on a malicious link or attachment.
The new paradigm, which is being implemented within the Ataata security-training regime, will build on the filtering capabilities of the Mimecast platform to proactively intercept malicious email attachment as they are clicked, then deliver targeted and relevant training that will substitute for often-ineffective classroom training.
Mimecast already blocks those attachments but, the company’s senior vice president and general manager of awareness training Michael Madon said during a recent visit to Melbourne, leveraging them into an opportunity for real-time training would add long-absent immediacy to a process that has chronically failed to gain traction.
The recent Verizon Data Breach Investigations Report 2019 noted that employees were getting better at phishing simulations – in which click-through rates had dropped from 24 percent to 3 percent during the last seven years.
However, 18 percent of the people that clicked on test phishing links were using mobile devices – highlighting a growing threat vector that had particularly savaged the manufacturing, professional, technical and scientific services industries.
Madon – a former US Army officer and Department of the Treasury intelligence officer – founded Ataata in 2016 and sold the company to Mimecast last year to help deliver more relevant end-user engagement and training to complement its expanding content-filtering portfolio.
Years ago, the abstract nature of most cybersecurity training motivated Madon – then well-entrenched in US government and working at the massive Pentagon office building – to look for a more engaging way to convince end-users to care about cybersecurity.
Despite the often catastrophic consequences for security breaches, this had proven far more difficult for most companies than one might expect.
“We were all having to take cybersecurity training,” he recalled, “and to the person – everyone was being really brilliant in finding ways not to take this training.”
“It’s amazing the amount of work that people were doing to not take the awareness training – and these are cyber people, doing cyber stuff. It was clear that no matter how important that training might be to your job, it’s still not cool – and I realised there was a problem here.”
His solution: find a way to make training more palatable and engaging for end users – something he accomplished by founding Ataata and building up a roster of content spearheaded by quirky lead characters Human Error and Sound Judgment.
Much more than a joke
The use of comedy – a core theme in an expanding training program that is now offered as Mimecast Security Awareness Training – had proven to be much better in improving end-user engagement than conventional programs that were primarily designed to scare users into safe behaviour.
“Fear totally works” as a way of motivating people,” Madon said,” but in a corporate environment it’s not sustainable to do security that way. There’s only so far you can take it, and then people are just going to check out.”
Making education work took more than just humour: as the Ataata solution has evolved, the firm’s training modules have increasingly looked to incorporate foreign accents and cultural perspectives – first for the new British character Sound Judgement, and an upcoming character who is South African.
“For the vast majority of users, American humour has done well and people get it,” Madon explained, noting that the platform was increasingly able to be customised to suit local humour, corporate or cultural memes, and personal tastes. “But we’re bringing in different types of humour and bringing in people to our content, so that we have local flavour.”
A coming content module will use a cartoon motif to educate users and developers about DevSecOps – a key plank of organisation-wide, security-led transformation – but Madon noted that the shift towards Phishing 2.0 would soon mark a significant new stage in Ataata’s integration with the Mimecast platform.
With malicious attacks coming via email at a dizzying pace, Madon believes users will be far more engaged by a system that can engage them immediately when they click on an otherwise-damaging URL or attachment.
Better training is about more than just keeping users in their seats for longer, however: as human error continues to savage the best-laid security plans, Madon believes cyber insurance companies will increasingly require evidence that a company’s employees have completed meaningful cybersecurity training.
That evidence was being generated all the time as employees complete modules and scanning systems paint a clear picture of the organisation’s threat profile – and, over time, he said, the burden would fall on CISOs to prove their staff were up to scratch.
“I like to think of assessing cyber risk from an actuary perspective like trying to land a plane on an aircraft carrier,” he said. “It’s constantly moving.”
“Insurers are having problems getting enough data – to the point where they are partnering with their competitors to create groups of preferred vendors and swap data. If you’re getting cyber insurance, absolutely read the fine print about what they will and won’t cover – and help them evaluate the risk using standards.”