Standard Chartered Bank’s Global Head of Training and Awareness shares how leaders need to shift their cybersecurity rhetoric to enable a culture of empowerment of employees, rather than seeing them as ‘the weakest link’.
ADAPT’s COVID-19 research has found that on any given day, 43% of employees will be working remotely. Throughout the pandemic, employees have proven they can be secure remote workers – dodging phishing emails and communicating reliably.
With the absence of cybersecurity prompts within the physical office space, training needs to be targeted towards specific risks and with a greater focus against phishing attacks.
At ADAPT’s Security Edge event, Ellie Warner speaks to Senior Research Strategist Aparna Sundararajan about the post-COVID future of cybersecurity training revolved around practical labs, snackable modules, cyber wikis, as well as leveraging heat maps and behavioural analytics.
Thank you so much for talking to us, Ellie. My first I mean, first of all, a great, great panel was really incredible insights.
As always, I wanted to pick your brain a little more on the changes that you have seen or that we should come across in cybersecurity awareness and training as we move to this more diverse, dispersed and digital ways of working and remote working within Australia and New Zealand.
What we’ve seen is 43% of employees will be working remotely on any given day for most organisations.”
In that scenario, should cybersecurity awareness and training change completely?
That’s a great question, isn’t it? Good old Darwin, his principles still remain very much alive and well. If we don’t adapt, we really will perish.
And all organisations and all the employees and people behind organisations, if nothing else, this year we have shown how incredibly resilient we are, but also how we can adapt to change.
I would like to start with that positive aspect, not that I like to talk about positives in light of COVID because it’s had so many terrible implications on our lives and livelihoods, but some lessons that we’ve learned that we might be able to fold into our work.
The first one is we’ve shown that we can adapt. Within the security world, we tend to look at humans possibly sometimes as we use these terms like weakest link and repeat offenders, rather than thinking about creating a culture of empowerment.”
I would love us as a security profession to actually acknowledge the incredible adaptability that our teams have shown during COVID, not just the security teams provisioning people to work at home through provisioning of laptops and desktops and VPN, but also all of our end users.
They have shown that they can be trusted; they can send emails securely. They don’t succumb to all those use of tactics, like people impersonating health officials going COVID. So let’s acknowledge that.
The other thing we have to acknowledge, of course, and how that impacts our new program design is the level of phishing-related attacks around COVID.
I mean, the multiple hundreds percentage increases around COVID-related phishing attacks, people trying to scam people out of money relating for donations, health officials impersonations on the phone for voice phishing.”
Obviously, our training and awareness have to has to adapt to that and make sure that we’re doing more awareness around phishing.
The third thing I’d say the lessons learned before we talk about the program is mental stress.
Before COVID, when you walk into a building, your office building, you’re wearing your office suit aren’t you, and you go in, and you’ve got your lanyard, and you scan in, and you realise you’re in a place of work or a government agency.
And automatically you’re thinking as a security agent, how can I protect my customers’ data? How can I protect the bank or company data?
When you’re working from home, you don’t have that same kind of physical nudges. You don’t have the posters in the pantry. You don’t have the videos running in the cafe. You don’t have your security champions or colleagues around going “Hey, is this a phishing email?” All of those gone, those prompts have gone. Those have been the three main learnings for us.
That’s a very interesting point that you’re putting out there. And that’s what someone else talked about, cybersecurity awareness tests, actually. People in the organisation who used to pass those cybersecurity awareness tests failed now because they could not really cheat. They were not within the organisation.
I want to get back to the point of the mental stress and when during the crisis and during the absence of visibility, it seems like the people would be highly prone to succumb to these attacks.
Do you foresee the cybersecurity training to actually tackle that aspect of fear, scepticism and stress?
And how would we create training programs around that?
I look very, very much so. The threat landscape we operate in, even pre-COVID, where we’re going to a physical work office every day. It’s incredibly dynamic.
And as fast as we’re training and arming and empowering and educating people, threat actors are coming up with new nefarious ways to try and steal data or information, whether it’s personal or professional.
We’re constantly having to adapt anyway and evolve on our go-to-market approach.
What COVID has taught us is we’ve got to move from this culture of fear. And humans are the weakest link to this culture of enablement.”
And we need to be more human about the way that we help people do their jobs securely. And look, companies around the globe have shown that we can move to remote working and still serve our customers and still sell products and services in a safe environment.
Some of the things that we’re looking at is: how do we provide more what we call lunch and learn sessions virtually? I=Or what we call practical labs on topics like phishing. So we’re running a quite a few of those now.
We’re also trying to use new learning platforms rather than kind of big modules. We’re trying to chunk things up a bit more. Snackable bite-sized modules, infographics, little videos, podcasts, little quizzes.
We’re really trying to cut through all that noise out there. And make it also very easy for employees to find stuff. So they need help.
We’ve written little cyber wikis, so we’ve created one around working from home. What do you need to know? What are the remote collaboration calls you can and can’t use that haven’t been approved by the organisation?
We’ve got to make it much more human and personal rather than we’re going to carry on doing things the way we’ve always done it.”
Well, guess what? All those standard operating procedures, they’ve been ripped up, and we’ve had to completely rethink how we go to market and how we engage people on a topic that’s already complex enough.
And now we’ve got this extra layer of working from home. So, the more human approach I’d say overall.
What do you think is going to help us? Are there any tools, technologies, systems, processes? What should organisations go to be right now?
That’s a great question. We always talk about people process and technology, don’t we in the cyber world.
I want to start with the people side. One thing that I’ve been enormously proud of said in my organisation is the compassionate leadership approach we’ve taken in the bank.
As leaders, we have got to use the kind of rhetoric and language: How can we help you do your job well, securely?”
How can we help you protect your home environments as well? Now it’s all personal/professional. It’s all linked in any way.
How do we help them and take that tone from the top and really say that we’re here, we’re here to help you, to educate, empower you and arm you?
Some of the tools and processes that we’re looking at is certainly in my team. And I’m sure many of the enterprises that are at the ADAPT conference today are also looking at our how do we use data to really help us pinpoint the specific risks and threats and vulnerabilities we’re trying to address?
We don’t have endless budgets. We’re trying to address a hundred thousand people around the globe in different countries.
We’ve got to be quite specific about the risks and vulnerabilities.”
Human, my side, risks and vulnerabilities we’re trying to address are using data and then using kind of heat maps and behavioural analytics, which is a proof of concept we’re working on at the moment to really double down on what are the learning interventions we need to set up, whether it’s data leakage, whether it’s more phishing, whether it’s classifying data, automation as well.
As fast as we can automate things, the better.”
We have a robotics and AI function in the bank we’re working with. We’re looking at how we can automate some of this stuff. We’re working with vendors on adaptive learning.
Those are going to be really useful tools for us so we can serve up the right learning content at the right time, to the right people, to address the right risks.
Your knowledge gap might be here, and Ellie’s knowledge gap might be here.
I want to set up different types of learning interventions, don’t I, rather than having this one size fits all.
We’ve have to be a bit innovative, you’ve got to challenge yourselves and you might have always done it this way, but actually now is the time to probably take a fresh look and see what kind of tools and processes we can implement to manage the human risk better.
That’s amazing. That’s brilliant. Before we were right on time, before leaving, I’d ask you what your one advice be for those next year to focus on when we talk about cybersecurity and awareness. If they don’t do anything, they have to do one thing, what would that be?
Let’s treat people as adults. They have shown with this pandemic that actually they can learn. They can adapt; they can respond to an ever-changing landscape.
So let’s change the rhetoric from weakest link to actually our first line of defence.”
Let’s treat them like adults. Let’s enable them, empower them, arm them, talk about it in their language, strip out the jargon, make it relevant, make it personal.
Now, with all of us working, as you can see from my home office here, I got my home network device. I’ve got my work network VPN.
We want to make sure that we’re arming, empowering and enabling all people to be safe and secure as they can, whether it’s at home or at work.”
Thank you so much for talking to us.