Security awareness training is not enough for protecting an organization from the human element involved in cyber attacks.
Alethe Denis is a Senior Security Consultant at Bishop Fox and is well-known for winning the social engineering Capture the Flag at Def Con in 2019. She recently presented training to the United States Army Special Operations Command on social engineering and has presented numerous security awareness trainings to organizations across different industry verticals. She joins us to share her insights on the gaps many security awareness programs have and how they can address them.
The Gap in Security Awareness Training
Alethe recognized the tremendous leap security awareness training has made in the last decade or so, especially in the area of social engineering awareness training. However, there still exists a strong reliance on training being relegated to computer-based learning and powerpoint presentations. She observed there still exists a "gap in our understanding of how to properly implement security awareness training."
One of the biggest issues according to Alethe is that many companies equate training with behavior change when in reality training is only the first step.
I believe wholeheartedly that we can't become complacent and just assign computer-based learning and videos to folks; to set them down with a PowerPoint presentation and expect humans to engage with that content and then retain that content and put it into practice.
The Next Step After Training
Effective security awareness training doesn't just schedule and implement a training course and merely notes who clicked and who didn't. It dives more into the human factor of training, looking to analyze what was effective and what was not, and then considers additional methodologies for distributing education to the diverse members across an organization.
Like the broader application of cybersecurity, there is no one-size-fits-all magic bullet to know exactly how a successful security awareness program will look. For each organization it will depend on:
- Company Culture
- Geographical considerations
- Business priorities
- Buy-in from business leaders/management
For more insights on what to consider when evaluating an awareness program, check out our conversation with Nadine Michaelides, CEO of Anima People who helps organizations do just that.
Testing and Diversifying
One approach to evaluating the effectiveness of the training is performing an A/B test, like in marketing, providing two different messaging content pieces and see how it performs. Then test the individuals who took that training within a few weeks or months to determine the 'stickiness' of the approach.
What I believe is critical is that if you are responsible for running a security awareness training program, you are deploying different types of content out to your population, your community of employees, and you are measuring how effective those training campaigns are using testing.
Doing so will allow you to adjust your approach by either supplementing with different types of resources or even adjusting the training itself. These can range from creating or using security awareness videos that are short and to the point (Wizer can definitely help with those!), gamifying different aspects of the training process or involvement, dripping fun memes throughout the month for casual reminders and more.
Alethe notes, "It's important to use a variety of different types of training, measure how effective those are using testing testing, fishing or phone fishing testing, and then finding the way to make it resonate with your audience."
Because ultimately we are protecting people here, not just company data.
Make It Relevant at Home and At Work
As the end goal is behavior change, it's important to communicate the benefit to them as individuals - the good ol' WIIFM (what's in it for me) needs to be answered as much for the top-level exec as for the regular employee. One solid approach is through creating a connection for the individual to their personal lives to make the message of security benefits relevant and more impactful.
The ideal is to transform an individual from simply being a person who can regurgitate the telltale signs of a phishing email to understanding what a manipulation feels like and how to identify emotional triggers even at home. As phishing attacks continue to evolve individuals who understand the defensive mechanisms will be more consistently successful in avoiding new evolutions of these attempts. And often, habits done at home are brought to work which is exactly the positive behaviors we want our training to achieve.
We prioritize where we spend our time and energy based on what's going to benefit us or impact us in a negative way the most severely. It's really important to remember that we are dealing with people and that people need to be properly motivated in order to take action.
Create a Culture of Reporting
Another gap where Alethe sees many companies miss the mark is in creating a culture of reporting. While achieving a level of caution that manifests as employees skeptical and qualifying every email they receive is a great first benchmark, for a robust security awareness program it needs to go beyond. By cultivating an environment where employees are encouraged and enabled to report easily and regularly, they become empowered to take action and not just delete. In the bigger picture of security at home and at work, this empowerment enables individuals to take ownership of their digital activities.
There has to be this culture of reporting. We are a team. We play together, we lose together, we win together.
By enabling more individuals within an organization to own their security behavior a safety net for the business overall is created. We all know everyone can have an 'off' day but with more individuals invested in proactively protecting themselves, and hence the company, those gaps are being covered as a whole.
The Big 3
To summarize, security awareness training should be more than just a one-and-done event. For an effective program managers should consider:
- Evaluating the effectiveness of the current training
- Test different forms of content to see what resonates the best with your team
- Foster the idea and culture of reporting
While this is no small task, Alethe recommends leveraging your vendors to help translate value and resource constraints you have of time and the inability to be everywhere at once. "Your vendors are writing the reporting that your C-level will see and who will decide what your budget is...Leverage those assessments to your benefit."
As someone who works in a security organization serving businesses Alethe states that was a part of her own role in working with her clients, "Essentially what I've done mostly over the last few years is translate the woes of security teams into language that demonstrates the value of giving additional resources to those security functions within organizations. Because without compromise, it's highly unlikely that those who have the ability to add budget will see the value in giving that budget for these teams."