You are currently viewing Rachel’s Relevant Ramblings
Rachel Herren

Rachel’s Relevant Ramblings

I Already Know Not To Give Out My Password or Click On Links, Why Should I Care About Ongoing Cybersecurity Training?

You come into the office after a relaxing weekend, make your coffee in your favourite “Probably Beer” mug, open up your inbox, and right there at the top of the page is the monthly “You have been assigned Cyber Security Training” email. You sigh because you don’t know if you have it in you to watch another eight minute animated cartoon about phishing emails, why your password is bad and other ramblings. “I know how to protect myself”, you think, “this will never happen to me” (optimism bias is working HARD).

So, you put the training video on a separate tab on mute and continue on with your morning. Sound familiar? This exact scenario happens multiple times a day in companies all over the world. Unless your company is IT focused, the majority of the employees are going to be so far removed from seeing these technological threats first hard that they won’t spend any additional brain power thinking about them. They don’t know that the average cost of a data breach in 2022 was just under $4.35 million, or that 68% of security breaches involve a non-malicious human element (2024 Data Breach Investigations Report, Verizon Business). They just know that they have 55 minutes to complete a report and respond to multiple emails before the morning meeting. In just two minutes with a quick google search I found YouTube videos, Reddit threads, and even LinkedIn posts referring to Cyber Security trainings as boring, repetitive ramblings and a “waste of time.” So why should you care?

Let me give you an example of an incident that happened to me. Recently it was 5:25pm and I was getting ready to head home from my office job. I packed up my purse, slung my gym bag over my shoulder, and walked into the hallway of the building my company is housed in. It’s important to note, we share this building with two other companies that handle technology for Space, Defense, and Aviation systems.

My company is on the third floor, and from where I exit I have to walk down the hallway and across a small lobby to get to either the stairs or the elevator. Earlier that day I noticed door that said stairwell near the other end of the hallway and decided I was going to give that one a try today to see where it lets out as it was much closer to me. While going down the stairs a younger gentleman entered the stairwell from the second floor and almost bumped into me.

We both apologized, laughed, and made small talk while we walked down the last flight of stairs. Upon reaching the bottom of the staircase I noticed a badge reader on the wall next to the door and instinctively reached for my waistband as if I had my badge on. Before I could even say “I don’t think this is the way outside” the gentleman next to me said “Don’t worry, I’ve got it” and scanned his badge before gesturing to me through the door.

Next thing I know, he tells me to have a good rest of my day, and I’m left alone in a secure area of another company. Two different people walked by me while I stood there trying to figure out what to do, and neither one said a word to me even though I’m sure I looked disoriented.

Thankfully after a few seconds I came to my senses, turned around, and walked back into the stairwell, but what would have happened if I was a bad actor. I could have easily walked into any of those rooms down there, two of which I could see had computers in them, plug in an USB and within minutes have critical company information. I could have gotten employees’ passwords without them ever having to click, infected the network with a virus that didn’t require someone to open an attachment, or stolen money without having to spend countless hours scamming an accountant.

Cyber Security education doesn’t just teach you how to not be bribed by a stranger (i.e. the infamous Nigeran Prince email) using Microsoft Paint-drawn cartoons voiced by underpaid interns. It teaches employees why certain protocols are in place and why they have to take two extra steps to sign in to an application. It teaches what Social Engineering is, how to spot it, and non-technology-related techniques used such as tailgating is (the technique used in the above example). Heck, it can even break down why you shouldn’t hold important Zoom meetings in Starbucks on the guest Wi-Fi in a way that can help Sharon from accounting finally get it.

In a systematic review conducted by Julia Prummer, Tommy van Steen, and Bibi van den Berg titled “A Systematic Review of Current Cybersecurity Training Methods” (published in Computers & Security, Volume 136, January 2024, 103585), it was found that the majority of studies looked at reported a positive effect from training regardless of the topic addressed or the training method used. And in the 2021 State of the Phish Annual Report from Proofpoint, 80% of organizations said that awareness training reduced the phishing susceptibility of their employees.

But this is of course based on whether or not employees actually pay attention to these trainings. So, take those extra few minutes once a month to listen to a video about Password Management, play the game about Phishing emails in real life, and take the quiz about Insider Threats seriously. Or you never know, you too could fall victim to the young, polite Southern girl in the stairwell who makes a joke and left her badge upstairs.

In 2023 I assisted Digital Beachhead with creating a yearlong Cyber Security training curriculum for employees that covered an array of topics including Social Engineering, Baiting, Impersonation, Phishing, and Spoofing. You can reach out for more information ramblings about this program and more at (866) 879-1226.