english deutsch

The Human Firewall

published February 2018

A new and key way to train your employees to avoid heightened cyber breaches has come to my attention and I really would like to share this with companies, this is state of the art training and will reduce risk.
I had the privilege to talk to Cyber Security Expert Kevin Ekeland, who is Managing Director of PNW Management Consulting.

When I look at HR and the Code of Conduct, and specifically here the employees which play an integral part in ensuring that a company does not get hacked, I realize that we have to do more than just a “clicking through” training.
You are absolutely right, many of us who have worked in corporate environments have gone through annual compliance training on among other things cyber security awareness and best practices as an employee. I don’t know about you but I always dread these trainings, they can be long, boring and definitely felt like a ‘check the box’ activity for some audit committee requirement. If I step outside of my employee shoes and put on my company hat, I have to believe that this kind of training is ineffectual, and the data

Kevin Ekeland

supports that. A study done at the University of Massachusetts found that 51% of employees are not adequately prepared for today’s cyber world, while the vast majority of data breaches involved human behavior issues. You can install the best security technology available, but if your employees are not properly trained you have a massive vulnerability in your company. In addition, data privacy and security regulations are changing in both Europe and the US with new rules going into place this year via the GDPR in the EU and new Financial Services Industry regulations being put in place in New York that require cyber security training for employees.

I understand that one of your clients is ThreatReady Resources, who have set up a more effective training process to ensure greater security for corporations going forward.

ThreatReady Resources is a cyber security training company that based on my 20+ years in
the cyber security industry has taken a better and more effective approach to this issue.

They have built their methodology on Learning Science Principals that have been proven to get results. Instead of doing a big training session once a year, ThreatReady Resources builds an individualized program that incorporates these learning principals over the course of a year.

ThreatReady Resources

This includes:
• Micro Learning Bursts – introduce concepts in small, digestible nuggets that produce a high engagement learning experience
• Spaced Retrieval – testing knowledge after an intentional time delay has been proven to increase long term retention and better
   understanding
• Interleaving – introduce new concepts while also reviewing concepts introduced previously
Again, this is built into a program that is specific to an individual organization’s risks and runs across a full year instead of the ‘one and done’ approach.

Can you tell me a little more on their concept?
When you sign up with ThreatReady Resources you will go through an intake process to determine the specific requirements for your company. In addition to the cyber security training ThreatReady Resources also provides phishing simulation services to evaluate your companies’ readiness. From the intake process a set of recommendations and calendar are produced along with all of the appropriate training modules and materials. This calendar will show on a monthly basis what activities will take place and incorporates the learning principals of micro burst learning, spaced retrieval and interleaving that we just discussed. ThreatReady Resources is able to very quickly create an engaging and effective training program for you.
              Please have a look at the video:
    Cybersecurity: Building the Human Firewall from ThreatReady Resources.

Cybersecurity: Building the Human Firewall

What in your opinion is the risk with employees these days in the digital age?
As we discussed earlier in the University of Massachusetts study 51% of employees were not ready for today’s cyber environment, and the vast majority of breaches involved human behavior issues. In my opinion the highest cyber security risk in any company are the employees. Again, we can put the best security technology in place but if employees are clicking on links they should not or are not using adequate passwords none of the security technology we have installed matters. I think cybersecurity awareness training is the most effective tool a company has against being breached.

Do you know how high the revenue risks are of one wrong click in from an employee – on average for a mid-size company?
The cost of a cyber breach continues to rise, IBM estimates that the average breach cost US$7M, and this does not factor in things like reputational damage and weakening of the brand. In addition it is becoming increasingly common for Executives and even Board Members to be held personally liable for cyber breaches, and many companies find that their Errors and Omissions insurance does not fully cover cyber security risk. A lot of attention gets paid to security technology, which is critical to protecting your company from cyber security risks. But it is also very important to take cyber security employee training just as seriously to ensure your company is in its best security posture.