Cybersecurity training in its current form doesn’t work: Nigel Phair

Corporate cybersecurity training programs need a complete overhaul according to Nigel Phair, cyber security analyst and practitioner.

Phair spoke on a panel at the recent CloudSec 2022 conference in Sydney, hosed by Trend Micro.

He told audiences “If you look at the stats on [cyber awareness training], and as the great Steve Waugh says, ‘Stats don’t lie’, it doesn’t work all. As more and more organisations are rolling it out, there’s more and more data breaches, there’s more and more reports to the ACSC,” said Phair.

“We’ve got a big disconnect somewhere.”

Pointing to phishing campaigns designed to trick employees into clicking bad links as part of a training exercise, Phair believes that users are being made to feel like they are part of the problem rather than the solution.

“The last thing we need to be doing is telling our users on networks that ‘You're the weakest link’, we need to flip that and say, actually, ‘You're our strongest ally’,” Phair told Digital Nation Australia.

According to Phair, the psychology around cyber awareness training needs to change in order to positively influence users, rather than leaning into fear and blame.

“It's all doom and gloom and ‘Stop doing this’ and ‘Stop doing that’,” said Phair.

“The reason I really say it doesn't work is our stats keep going up. 63,000 referrals, which is about a fifth of what it really is, to the Australian Cybersecurity Centre last year, it'll be more next year. $2 billion last year in the losses to cyber scams. So, if it was working, those figures would be trending down. But not they're not they're trending up. So we're completely, in my view, doing the wrong way.”

Pannelist Alana Maurushat, cyber-ambassador at NSW Cybersecurity Network suggested that the training is being directed to the wrong group.

“You're assuming it's the users that need the training. Software engineers don't learn how to code securely in most institutions globally,” said Maurushat.

“People going to do MBAs don't take a unit in cybersecurity and how to interact with the CISO. So, the awareness and training isn't on the user, it’s on you. You need the training. I need the training. It's different types of training. So, the emphasis really is on the type of training that's required.”

According to Phair, we need horses for courses.

“Wouldn't it be great if we had secure products? So instead of having a DevOps person that’s just smashing out code, get them to do secure code, and it's properly tested and evaluated.”