Our hopes for 2025
Happy new year from the Mindshift team. While a new year full of complexities driven by technology advancements is a given, we hope to see positive change in how we defend against cyber-crime through improved cyber education and greater support for those security leaders tasked with improving the cyber security posture of their companies and our country.
The Verizon 2024 Data Breach Investigations Report last year stated 68% of breaches involved a non-malicious human element, like a person falling victim to a social engineering attack or making an error. That is a staggering statistic and one we feel is often overlooked by companies working on improving their resilience to data breaches.
Making security easier for people
Despite security budgets continuing to be spent on the latest and greatest technologies and security tools out there, we still rely on us mere mortals to detect and prevent scams. That’s a big ask on people, the majority of which are trying to get on with their jobs and are not security experts.
Security ‘stuff’ is perceived as a burden to many, especially when the personal value (what’s in it for me) isn’t conveyed – think 2FA – still a painful experience for plenty of people. It’s our hope that where possible, technology makes security easy, not harder, for people. Using a keypass to authenticate might take a bit of explaining first time round but it’s certainly an easier method of authenticating than other more clunky methods.
Those of us working in cyber roles may not be aware that security features, terms and behaviours are still somewhat new and challenging to many people. We cannot assume because we know what a password manager is that everyone else does too. It’s our hope that we show empathy to people as good cyber behaviours become embedded in their day-to-day, and that we understand security can be annoying or difficult for people, regardless of their age and stage in life, or their job.
Think about new systems. Is the security developed with the human in mind? When we download an app for example, wouldn’t it be great if features like access to camera, contacts and microphone were disabled by default. That would fill a training and awareness practitioner’s heart with joy! It’s our hope that technology is secure by design and secure by default when we install it.
Dedicated training and awareness roles
For those of us working in cyber security, and especially in training and awareness roles, please know that the work you do is vital. It can be a thankless job at times, especially for those working in large organisations. It’s our hope that the work we do is valued and appreciated.
The SANS 2024 Security Awareness Report report says, “the most important variable that correlates with mature awareness programmes is the size of your security awareness team.” Locally, we suspect there are less than 20 full-time training and awareness professionals, with most organisations relying on off the shelf cookie cutter training or a few hours here and there from someone in the security team. It’s our hope to see more training and awareness roles emerging, especially in large organisations.
Leadership support
For those leading cyber security in your organisation, it’s our hope you establish a support structure, both technical and otherwise, to help you navigate the demands of your complex and constantly evolving role.
We would love to see more leadership support for T&A programmes – helping people understand why they need to use 2FA, report suspicious activity, and use strong passphrases is not something we can stop doing. For technology leaders, security managers, please remember not everyone understands security the way you do. Be kind to people who do their best – it’s your job to support them. It’s our hope that training and awareness programmes have strong leadership support.
Measures of success
Behavioural change is tough to measure, but it is possible – find one or two things which demonstrate some (it doesn’t have to be all!) people are taking notice. Hold focus groups, do surveys and polls, and come up with simple metrics to show how your investment in training and awareness is making a difference.
Training is more than phishing simulations
Doing regular phishing is NOT cyber security training and awareness! It remains one component, potentially diminishing in value and effectiveness with each passing year, as different threats and risks emerge. We are still very stuck in the mindset of needing to do phishing testing, we must think wider and vendors must come up with more innovative ways to educate the workforce. People have possibly become cynical of phishing testing, they may click “for fun” and fail to report. It’s our hope to see less emphasis on phishing testing as silver bullet to solve your cyber security training needs and to prevent people responding to phishing.
Tailored training and awareness
Relying on a platform to be your training and awareness programme is NOT an awareness programme! We need real humans to develop tailored programmes, with role-based training, nudges and just-in-time awareness communications. If you have a subscription to a platform but aren’t using it (much) or aren’t getting good results from the material, then get help from your provider ASAP. It’s our hope that people understand cyber security training needs to be tailored to organisation and role to be effective.
We hope to see organisations mixing their training and awareness programmes up to keep them fresh and innovative. Rocking out the annual compliance training just doesn’t cut it anymore – your workforce deserves better. E-learning, especially in large organisations, remains an important component of any awareness programme, in fact it is the foundation. But those organisations who invest in e-learning should also “do” awareness. Ask your training provider what customised awareness you also get with your subscription! Use available channels to reinforce training messages – that is what awareness is. It’s our hope that organisations do more than annual tick-box training.
We hope to see face-to-face training (including virtual) make a comeback. Much can be learned from discussions and hearing different points of view – it’s the follow up questions or challenges to a topic that provide the best learning opportunities. Prebuilt overseas recorded content prevents this interactive learning style that has been proven to be most effective at delivering complex content. Always give real-life examples, group sessions are great for those.
Finally, it’s our hope cyber safety is seen as a life skill valued by everyone.
Happy 2025 everyone! If you’d like help, our team are here for you.
