ISE has spent many years consulting with clients across different industries about managing security risk across the business, including training staff on recognizing attacks as they occur. What I notice is that sometimes people think about managing cybersecurity risks and what comes to their mind is encryption of data, patching vulnerabilities, or having endpoint detection software to block threats. But the truth is, we can’t ignore the human element of cybersecurity. Many threats prey on personal vulnerabilities along with those directly related to technology itself.
When we give our staff, vendors or partners access to our systems or information, we are giving them power. Usually, the qualification of that access is business expertise and need. For example, when we hire a new accountant to work in the business, we are concerned about how skilled of an accountant they are, not so much how savvy they are when it comes to technology and security. But once that accountant joins our team, it’s now up to us to make sure they act responsibly when utilizing technology. For the sake of managing risk, we should all be scrutinizing security awareness of our teams, both internally and externally. Let’s take a few moments to review what elements go into creating a strong security awareness training program for your business.
Easy Engagement and Fundamental Content
Many people think about the threats out there and get caught up in having training that is perfect and crams every last detail about security into it. Unfortunately, that’s impossible for a few reasons. Not only is security awareness a very broad topic, but most people can only invest so much energy into this kind of training. They are experts in their field and some of them don’t even like technology and find all of this to be a bother.
Each training campaign or exercise needs to be simple for the layperson. It can’t last for hours every week. It should be more like an hour of total content here and there for most individuals who work in a business (as opposed to security engineers or technology managers). Think of it as just enough content that an average person could consume it maybe during a long lunch break, or between meetings. The burden needs to be minor.
Content itself should be relatable and simple. One approach would be to speak to everyday experiences. Talk about common attacks, such as email phishing, social engineering, password compromises, and of course what a ransomware attack looks like. Instead of explaining exactly how all these attacks work technically, focus on what the end user experienced before, during, and after these attacks. By focusing on them you will be priming your team to be experts on the threats they are most likely to face.
Tailored To Your Specific Risks
Security management as a whole is personal and unique to the organization. A plan for one organization might do many things to address risk but would also likely leave some holes when it comes to having an actual robust approach to security. The same should be said for security awareness training.
Certainly, there are some elements that should be common to all programs, such as teaching people about the threat of phishing or ransomware, but the way these threats apply to different organizations needs to be addressed in training. How do your people work day to day, and based on that what are the things they should understand about these threats? For example, phishing and social engineering will mean something different to someone who has access to things like company payroll or sensitive source code information than it does for a receptionist who may send more casual emails. That’s not to say that there isn’t a risk for the receptionist, but rather that those risks and implications are different. We need to focus on the outcomes that are specific to our team.
If you haven’t defined your workflows and your risks, that’s where you should start. Your leaders within your organization need to understand what kinds of events can impact the business and then relate those events to plausible security incidents, such as data exfiltration, ransomware, credential abuse, and so on. Once you know how security issues create impact, you can communicate with your people about what they should know.
Procedure and Regularity
You’ve probably worked at a place where you received some training that you were told was important, and then after you completed it you never heard about it again. Well, unfortunately that can sometimes be the case for security awareness training in many organizations. This kind of mentality usually comes from a manager who decided “we need to do this” and then loses interest after they mistakenly think that the job is done.
Security Awareness Training, much like security management as a whole, is an ongoing process. It’s never really complete. Yes, your team will get through the assigned exercise and learn something, but it’s the reinforcement and updating that creates a culture of security. That’s the real goal of training. We want to create a team of people who look out for the security interests of the organization. It won’t be possible to get people to recognize every threat and be a security expert, but we do want our team to know how to respond to threats, communicate with their peers and management, and be good “data custodians” who are mindful of how they handle sensitive information.
Pleasant and Enjoyable / Diverse Approach
I think everyone can relate through sitting in a training for a long time and eventually zoning out. We have a limited attention span and security is one of those things that many people mistakenly think is not something they play a part in. So, we must overcome two big hurdles in order for our training program to be effective. Just like a good public speech, performing in a play, or doing stand-up comedy, it’s all about the delivery. Try to make your approach to training pleasant enough so that your team is ready and willing to engage with it, rather than dreading its inevitability.
Here are a few tips to help:
- If it’s an online module, try to keep each module in easily consumable “chunks” that are perhaps 15-20 minutes in length.
- Try to have some variety in the message. Many online tools will have sketches, cartoons, or other diverse ways of delivering the message.
- It’s good for modules to have knowledge checks and other interactive elements to make sure the message is coming across and to keep the user engaged. It’s even better if those interactive elements are scattered throughout the module, as opposed to backloaded after the lesson.
- Consume the content yourself first and ask yourself “How would I feel if someone asked me to do this?” Some modules may have patronizing tones or may be too goofy for your team. What’s good for some people may not be good for others so keep your company culture in mind.
- Spread things out. Never let it feel overwhelming to your team. Anything that can be done to reduce negativity and increase engagement is a good thing.
Management Prioritization
I’ve helped many organizations in the past organize their training programs, and one recurring theme that can take away from the effectiveness of a program is management that thinks they are “too good” or “too smart” to have to do the training.
More importantly, management sets the culture for training. When managers care about it and prioritize their training and that of their teams, staff will grasp that security awareness training is important and that they must follow their leaders. On the other hand, staff that observes management taking a casual approach towards security will look at training as a chore and something to check off a list. They will rush to do something that’s barely considered acceptable and won’t internalize the security message.
There’s a lot more that can be said about creating a good security awareness training program. The most important thing to remember is that we need to be consistent and disciplined. You have to care about what you are doing and value training as a practice. The goal is to create a culture of security where people are mindful about what they do. When planned out properly and keeping these rules in mind, you will make it so that your training program is both accepted by your staff and meets your security goals.
Training your staff is only one element of creating a strong security strategy. Just as important is building and maintaining applications, devices, and networks with security in mind, so that attacks on the user from phishing and social engineering cannot be so easily exploited. It is critical that regular security assessments from a trusted third party are a part of that strategy, so that you know what your actual threats are and how you can defend against them. Contact ISE today to learn more!