The Human Brain and Cybersecurity Training

"Humans forget approximately 50% of new information within an hour of learning it. That goes up to an average of 70% within 24 hours and 90% after a week."
~ Source: studies by cognitive science expert Art Kohn.

You probably won't remember this blog post, but let me tell you why...

The Ebbinghaus forgetting curve.

The forgetting curve is a mathematical formula by Hermann Ebbinghaus that originated in 1885, who was among the first scientists to perform experiments to understand how memory works.

Here's a great infographic about the Forgetting Curve covering factors that impact our ability to remember. http://elearninginfographics.com/memory-retention-and-the-forgetting-curve-infographic/

So, lets make the connection to cybersecurity awareness training for our users...

You've tried the following traditional methods:

𝙓 Online training content
𝙓 Classroom based training
𝙓 Brought in guest speakers

Yet, your users are still clicking those dodgy links?!!

You may be thinking:

"Garrr! Damn you Forgetting Curve. There's an operational cost to pulling staff away from their day jobs to spend time on these.... Management won't keep letting me do this without seeing an improvement." ~ Most IT Managers

Why is training our employees so important?

Statistics.

SOURCE: VERION DATA BREACH REPORT
SOURCE: INDEPENDENT SURVEYS CONDUCTED BY RESEARCH HOUSE VANSON BOURNE COMMISSIONED BY SOPHOS.
SOURCE: CSOONLINE.COM
SOURCE: PHISHING STASTICS 2020

Why are the people in our organisation such a target?

Hacking a human is easier than hacking software.

A low-skilled cyber criminal can hack a human. It takes a highly-skilled cyber criminal to be able to hack software.

It started with a phish...

Cyber attacks are multi-staged, co-ordinated and the norm.
E.g a phishing email could install malicious code that takes advantage of a software vulnerability to install ransomware or steal your credentials.

How can we overcome the Forgetting Curve?

There are a number of methods educators use to help their learners challenge the Forgetting Curve. Here's a couple of examples:

Spaced Learning - aimed at supporting the retention of skills and increased productivity in the long-term.

Spaced learning is a methodology where learners are presented with material they have to learn in a timed session, with a short break provided after they've completed it. 

It's effective because it strengthens memory retention because the learner studies the information, and periodically returns to review it in order to retain the knowledge.

Think a short insight into 'Phishing 101' with regular phishing simulation exercises run.

Make it accessible - If you want your training content to stick, learners need easy access to the content wherever they are, at any time of the day.

The cybersecurity industry used to deal with a lack of training content. Now, there's lots! but employees have day jobs to be getting on with... and feedback we commonly hear after x amount of months into having access to 3rd party training content, is that all of the 'good stuff' has now been dried up.

And let's not forget how easy it is for a user to hit next, next, next, next, complete whilst they're waiting for the kettle to boil before their next tea run....

But we have CAUTION: External Email banners... why are users not reading this?

It's a best endeavours approach, right?

CAUTION: This email originated from outside of the organization. This message might not be safe, use caution in opening it. If in doubt, do not open the attachment nor links in the message.

But seeing something hundreds of times a day in your inbox, that's pretty much saying:

Email 1 - This could be dangerous
Email 2 - This could be dangerous
Email 3 - This could be dangerous
Email 4 - This could be dangerous
Email 5 - This could be dangerous

Is what we call 'banner fatigue'. It becomes part of the email body real-estate for your user and goes from becoming an education and awareness control to an I.T 'well, we told you' so type of feature.

The eyes look, but the brain sees.

The science to back this up, is that the human brain translates the information it receives from the eye into something that we can understand. Because the brain omits the information that comes in while the eyes are moving, our visual world is perceived mostly during fixations, the short periods of time (approximately 200-300 milliseconds long) when the eyes are stationary. While reading an email for instance, our eyes are in motion only 10%-20% of the time.

During each fixation, our brain must select the visual information most relevant to perform the task at hand. We have an ability to attend to or focus on one or several sources of information while ignoring the rest, or at least reducing their significance. Which could support why IT Managers are seeing their static email warning banners proving to be ineffective.

Finding the happy middle ground...

1. 'an ounce of prevention is worth a pound of cure'
If we take a step back, phishing emails in an ideal world would not even be reaching our employees inboxes. They would be stopped at the Email Gateway.

But, that's not the case.

Phishing attacks (and cybercriminals tactics in general) are constantly evolving. They use many sophisticated techniques to evade detection by email security controls.

Traditional SEGs (Secure Email Gateways) provide excellent email hygiene by filtering spam and malware. However, they are reactive and can struggle to deal with both links and payloadless attacks that can slip through the net.

2. How can we catch the stuff that our SEGs are unable to detect?
The team here at Spear Shield recommends what Gartner has coined: an Integrated Cloud Email Security solution (ICES).

Gartner explained in its guide: "[ICES] email security solutions use a variety of advanced detection techniques, including NLU, NLP, social graph analysis (patterns of email communication), and image recognition."

Findings in IBM's Cost of a Breach Report showed that organisations with AI-based security solutions — such as ICES — experienced a significant reduction in data breach costs, cutting breach costs from $6.71m to $2.90m.

Microsoft 365 now includes a rich set of foundational email hygiene capabilities and we're seeing a shift with our customers re-allocate spend to ICES solutions and utilising 365 to take advantage of existing investments + avoid duplicating 3rd party SEG security capabilities.

3. Where does user education come in?
With an ICES solution - you can teach employees the dangers of a sophisticated phishing attack in real-time.

✔️ Detect the threat
✔️ Educate the user
✔️ Remediate the threat
✔️ Mitigate the risk
 

The proof is in the pudding...

We've explored in this blog post (if you still remember!) why traditional cybersecurity awareness training methods may be proving ineffective...

The team here at Spear Shield are changing the game with end-user awareness training and has helped several organisations increase visibility of threats evading their existing defences + reducing employee click rates from 70%+ to 0% using this approach.

Check out our latest customer success story of how an Ipswich based construction firm were able to slash their employee click rates below.
https://www.egress.com/media/nq1d1caz/castons_customer_story.pdf 

Interested to learn more?

Spear Shield are currently running a FREE Email security assessment that can help you identify:

• Total number of Dangerous and Suspicious emails detected landing into employees inboxes throughout the engagement
• Insight into the top types of phishing emails your organisation is receiving
• Insight into the top types of payloads being used in the phishing emails your organisation is receiving
• Insight into your Supply Chain Health (DMARC status of inbound emails)
• Insight if there are live phishing attacks sat in employees inboxes that can be remediated together
• Phishing Simulation results (with and without an ICES solution implemented)
• Previous caught user analysis breakdown
• Insight into how many users were stopped in their tracks at the link advisory page
• Insight into the reporting heroes in your organisation
• Insight into what device type your employees are engaging business emails on. (mobile, PC, both)
• Consultative recommendations for security best practice

If you'd like to learn more, you can visit https://www.spearshield.co.uk/real-time-end-user-awareness-training or contact the team today:

hello@spearshield.co.uk

01473 948980

About Spear Shield

Here at Spear Shield, we are continuing to invest in our goal to create one of the most cyber-secure client communities in Suffolk, East Anglia and across the UK.

Our approach is to work closely with IT teams and business leaders to help identify cyber risk, understand core business drivers and challenge the conventional approaches to legacy cybersecurity strategies to enable our customers to exceed their cybersecurity goals.

Spear Shield has a portfolio of award-winning cybersecurity solutions and services that we align to enable our customers to be able to solve even the most complex and advanced cybersecurity challenges.

The team at Spear Shield specialises in:
- Mitigating the risk of social engineering attacks and human-activated cyber risk
- Real-time asset discovery, device security and compliance
- 24/7 Managed Threat Hunting and proactive Incident Response


If you would like to learn why organisations are choosing to secure with Spear Shield, please do contact a member of the team to arrange a confidential conversation today.

The team has several year's experience working within both the private and public sector, have a very consultative approach and would welcome the opportunity to learn more about your organisation.