These 7 Questions Proved Employee Cyber Training Isn’t Nearly Good Enough
Share with Your Network
Here’s a hard truth about protecting your network, infrastructure and applications: most organizations are doing a poor job of training their employees to spot phishing attempts and other potential threats. And that leaves those organizations unnecessarily vulnerable.
Training solutions provider TalentLMS tested 1,200 employees to see how skilled they were at identifying potential risks as they arrive in their inboxes or pop up on the internet. The results are, frankly, a bit discouraging.
A majority of the workers surveyed (59%) received cybertraining from their employers, largely due to the uptick in cyberattacks aimed at taking advantage of a new global remote workforce. Of those trained employees, 61% failed a basic seven-question test. If the test questions were real-world exploit attempts, those unwitting employees would have handed hackers the keys to the front door—and even held it open for them.
The 7 deadly questions: Take the test
To help put this into context, here are the seven test questions respondents answered. (Four or more wrong answers constituted a failing grade.) I’ve provided an answer key at the end of this blog so you can test yourself if you like. But don’t cheat! Cheating is cutting corners, and cutting corners is a terrible idea in Security.
1. Which of the following passwords would outsmart a hacking attack?
2. Which of the following file types have the potential to be harmful? (select all that apply)
3. How does ransomware work?
- It self-replicates and searches for unsecured systems
- It steals sensitive information and relays it to external users
- It denies access to your data unless a fee is paid
- It gives unauthorized access to a malicious user on your system
4. USB drives are harmless if you insert them to see the content, but not run anything.
5. If your laptop is password protected then its files are safe, even if the device is stolen.
6. Which of the following actions should you take to keep an important document safe? (select all that apply)
- Digitize the document and encrypt it on a protected computer
- Lock the document away in a safe
- Destroy the print document in a shredder
- Upload it to the cloud
7. You receive a suspicious looking email from your CEO that contains a link. What would you do?
- I would click on the link
- I would check if the sender address matches the CEO’s, and if it does I would click on the link
- I would send a message to the CEO through a different communication channel asking if they sent me an email with a link
- I would delete the email without clicking the link
(Again, you’ll find the answer key at the end of this blog.)
Security professionals might look at this test and dismiss it as laughably easy. But for employees whose jobs don’t involve security—and for whom following security protocols is an unwelcome if necessary burden—these questions and situations represent a murky, uncertain world they know little about. That even goes for workers who have received training. In fact, of respondents who answered all seven questions incorrectly, 80% had received cybersecurity training. That’s the harsh reality when it comes to protecting your perimeter. It’s porous—and to some extent unavoidably so.
The trouble with hygiene
Cyber hygiene is a mercurial thing, and mastering it requires diligence. (Like real-life human hygiene, it helps to tend to it every day.) You can insist employees strengthen their passwords, and chances are many probably should (the world’s most common password is “123456,” and it was exposed 23.6 million times in 2020). A stronger password is a good start. But other common tactics can lead to stolen credentials, which then could then allow bad actors to access parts of your infrastructure the hacked employee may not even know exists.
So by all means, train your employees. But if you’re taking the time and effort to do so, rely on a training program whose effectiveness is proven—rather than just tips from some Googled listicle. Hacks are growing more sophisticated every day, which may actually make mediocre training an even bigger danger than no training at all. (Want proof? The TalentLMS survey found 74% of respondents who failed all seven test questions said they feel safe from cybersecurity threats!)
Take control over what’s within your control
It’s foolhardy to think your employees, even if meticulously trained, will prevent every breach. Because it’s one thing to mull over phishing scenarios when you’re being asked to mull over phishing scenarios. It’s another thing entirely to be a busy, distracted employee who receives an email from the CEO they’re working hard to impress and responds to it, unaware that they’re playing into the hands of hackers.
So in addition to effective training, you’ll want the added insurance policy of a strong vulnerability management program. The thinking here is simple: If you can’t count 100% on workers to sniff out sophisticated exploit attempts, you’ll need backup. And since employees are hard to control entirely, it makes sense to focus on what’s already within your control: the network and infrastructure assets you’re responsible for.
A robust, modern vulnerability management program will provide that backup. Leveraging extensive threat data, vulnerability intel, data science, and predictive algorithms, the best vulnerability management solutions weigh the relative risk that every known vulnerability within your infrastructure poses to your business. The most advanced solutions will even predict the likelihood of a specific vulnerability being weaponized. That way, you can focus on and fix the vulnerabilities that matter most, and stop wasting time chasing vulnerabilities that aren’t a risk.
The truth is, training your employees to maintain better cyber hygiene is necessary, but it’s not nearly good enough. You simply can’t control what employees do and learn, not entirely at least. But you can control how effectively you manage the vulnerabilities that, in the end, those bad actors are really after.
Do that, and you’ll be relying on a program that’s much better than good enough.
Did you take the test? Here are the correct answers:
- Q1. @bgfjjjdb4M#67£
- Q2. All file types can be harmful
- Q3. It denies access to your data unless a fee is paid
- Q4. False
- Q5. False
- Q6. Digitize the document and encrypt it on a protected computer and Destroy the print document in a shredder
- Q7. I would send a message to the CEO through a different communication channel asking if they sent me an email with a link