Last year, organizations cut their cybersecurity budgets dramatically in a matter of days, CEO of Curricula Nick Santora told CyberNews. But cybercriminals did not go anywhere. If anything, they became more aggressive.
Curricula’s mission is to make cybersecurity training fun, even if that might sound hard to believe. Regular PowerPoint presentations about the latest news in cybersecurity compliance doesn’t seem like a fun way to learn, does it?
“When you think of training, you cringe. You think that it’s going to be so bad, and really boring,” Nick Santora said.
Prior to founding Curricula, he spent several years protecting the US power grid from hackers. He was a cybersecurity specialist in Critical Infrastructure Protection (CIP) for the North American Electric Reliability Corporation (NERC). His career was focused on working with utilities across North America to educate them on how to keep their infrastructure safe from the bad guys.
We created a cast of characters, of heroes and villains, and stories that can help visualize compliance and security in a way that makes sense for people,Nick Santora said.
“We had to teach the most boring regulatory standards that probably exist in this country – cyber for electric grid infrastructure,” he told CyberNews.
Audits have shown that people responsible for protecting the grid didn’t learn much about cybersecurity during the annual training sessions. The content, as he put it, was boring, everyone hated it, and no one learned anything about it.
To put a long story short, Santora and his colleagues developed a NERC CIP oriented cybersecurity training program and then moved beyond that.
“Fast forward to today, we’ve not only expanded to security awareness to help companies from every industry – from schools to non-profit organizations, to start-ups, to the largest financial institutions in the world, but now we are moving into more of an online learning component. This means helping with remote working, helping companies handle the other remote learning stuff that they have to do as part of this bigger equation with employees working from home,” Nick Santora said.
What he considers fun cybersecurity training is… superheroes.
40% click rate on phishing emails
Because of the pandemic and the economic implications that followed, organizations had to cut their cybersecurity budgets.
“We had companies that wrote us emails in March, getting ready to onboard with us, and then, after their budgets got cut a week later, they said they are not doing anything until 2022,” Santora said.
The problem is that malicious hackers don’t go away just because companies cut their budgets.
“If anything, they’ve come in more aggressive scales than ever before because they use news like this as leverage points to get indoor. Unfortunately, IT administrators, CISOs, and information security teams had their hands tied behind their backs, knowing that they have a bigger problem with fewer resources to do something about it,” Santora said.
Curricula runs a phishing test for every new client so that they would get a snapshot of their cybersecurity situation.
“We somewhat see around a 40% click rate on the first phishing test with the new customer. It is pretty dramatic,” Santora said.
There is plenty of material about subjects related to cybersecurity. The problem is that most of it is dry and boring, Santora claims.
Instead of making PowerPoint presentations, he turns to storytelling and introduces heroes and villains to the cybersecurity training. For example, a malicious hacker DeeDee.
“We created a cast of characters, of heroes and villains, and stories that can help visualize compliance and security in a way that makes sense for people. We are used to communicating through stories all the time. We designed a world where you can create a narrative about a different concept to someone in a couple of minutes. This world has memorable characters and is informative,” Santora said.
How does it work? For example, DeeDee runs a phishing simulator and sends employees malicious letters. If you report the phishing email, DeeDee would say Nice job. If you fail to do so, you get an email from DeeDee, saying Haha, I got you.
Curricula also regularly creates new episodes about cybersecurity. The company has a content arm responsible for new episodes.
“It is a part of a bigger picture to get employees actively engaged all year long so that they are always on their toes,” Santora explained.
He believes that this approach works. Not only because scores and other analytics show it, but because employees are talking about DeeDee and other characters outside the training platform. For example, they create Slack channels about DeeDee.
“If you want to become a big muscle-man and be really healthy, you can’t do that just by eating a salad and going to the gym once a year. You have to train and be really into this. It’s the same with security awareness,” Santora believes that cybersecurity training has to be constant.
Lack of motivation
Why should I care whether my employer gets hacked?
“I do not think that employees wake up in the morning and think how they can’t wait to get to work and watch 75 PowerPoint slides, and can’t wait to help the IT department catch phishing. That’s not their thing. They are coming to do their job,” Santora said.
In most cases, an employee will not get fired just because his account was hacked.
I feel that we are setting employees up at a disadvantage. We treat employees a little bit unfairly in that equation. Of course, an employee is going to be a weak link if you will not educate him at all about your best practices,Nick Santora said.
“Motivation is a struggle for a lot of organizations and is heavily compliance-driven. When we look at organizations that are motivating employees to do something, it’s based on fear and compliance. Sometimes that works, but that doesn’t drive a long-term behavior change. There have to be incentives to motivate employees along the way,” Santora said.
We keep hearing that it’s people, and not technology, who are the weak links in cybersecurity. But that might be unfair.
“I feel that we are setting employees up at a disadvantage. We treat employees a little bit unfairly in that equation. Of course, an employee is going to be a weak link if you will not educate him at all about your best practices,” Santora said.