Ask security professionals about the effectiveness of security awareness training, and you’re bound to get a wide range of answers. But regardless of the state of your company’s training program, keeping your employees educated about cybersecurity is an absolute must given the volatility and sophistication of today’s threat landscape.
If you have a well-oiled training machine, what can you do to keep it up to date in 2018? And if you don’t, where do you even start?
Fighting an Uphill Battle
The threat landscape has changed significantly since my time developing security awareness training for the government in the mid-2000s. Yet despite all the changes the security world has undergone since then, employees are still the first line of defense when it comes to mitigating risk. The more things change, the more they stay the same, so to speak.
During the last year I spent running a security awareness program, our security team had to ensure that almost 2,000 employees spread out among multiple locations took part in mandatory classes. We did everything we could to walk the fine line between hard-line policy and a lighthearted, interactive learning environment. While that tactic worked with certain individuals, it didn’t generate the desired results.
One of my takeaways from the experience was that the effectiveness of training programs varied by location. Employees who worked out of head office were more likely to adhere to policies and security practices than those in remote locations. Since the IT and security department was located at the main office, perhaps employees felt a greater imperative to be more mindful. For smaller companies with only one location, I can see enforcement being slightly easier. But for larger organizations, I believe the risk is multiplied because of sheer numbers.
Nonetheless, it’s clear that employees view security as a hindrance to their productivity. What can we do to get employees to adopt a more active role in protecting company assets?
The Case for Going All-In
Seattle-based beverage company Talking Rain is a great example of a company with a security awareness program that actually works. Using innovative online security training, employees take part in a 15-minute security awareness program every month.
Gina Harris, the company’s IT director, told me that the program is so well-received that employees actually tell others about it. “Employees are always accountable for being our first line of defense,” she said. “They love the Wombat training and often want to share the modules with their families.”
The company even posts inserts inside bathroom door stalls so employees can read about the program, and it issues awards to those who score 100 percent on the training. On the other hand, those who don’t complete their training will hear from HR.
Another component of Talking Rain’s security program scrutinizes employees’ knowledge of security basics using real-world scenarios. For example, the company sent phony phishing emails to determine whether employees would catch on to the scam or take the bait. Before long, users began regularly reporting malicious emails to the IT department.
Talking Rain also enjoys complete support and buy-in from the C-suite and the board. By pitching an effective security awareness program to top executives as if it were a “Shark Tank”-style presentation, Harris was able to communicate how employee education positively affects the bottom line.
Fostering a Culture of Security
Having discussed this topic with experts for many years now, it’s clear that a strong security culture breeds better employee engagement. That must come from the top down.
Srinivas Vemula, director for Open Source Practice and technical consultant for SenecaGlobal, said he has seen positive results when the C-suite is involved in the risk mitigation and threat categorization process — a critical precursor to any form of security awareness training. In one particular example, he pointed to a powerful team-building exercise in which executives split up into red and blue teams. In this gamified environment, one group performed a denial-of-service (DOS) attack on the Domain Name System (DNS) server while the other detailed how the company would defend against it. “These unconventional exercises will expose a company’s blind spots and are a great part of any security awareness program,” Vemula noted.
Still not convinced that cybersecurity training can help your company’s bottom line and improve its defenses? Perhaps you’ll be swayed by Gregory Touhill, author of “Cybersecurity for Executives” and the very first chief information security officer (CISO) of the U.S. as part of the Obama administration.
In an interview for BankInfoSecurity, Touhill recalled a conversation with a congressman who asked him how he would spend any extra dollars on cybersecurity. “I told him I would spend it on better training my people,” he said. “I find a very well-trained, well-informed workforce is better prepared to help an organization buy down their cyber risk. Everybody has a stake in cybersecurity and I would contend everyone is on cyber front lines. That training needs to be tailored and continuous for the entire workforce.”
Getting Started With Security Awareness Training
I sympathize with anyone responsible for developing, leading, teaching or having anything to do with security awareness training. As enjoyable as it was to passionately convey the importance of security to others, the frustration of seeing your hard work go unrecognized was palpable. The general consensus among our team was that we were fighting an uphill battle.
It doesn’t have to be like that. While you may be struggling to promote security awareness, I’ve talked to many experts who have been successful. If I could go back and do it all over again, I’d try even harder and use all the tools available to make the road to employee enlightenment as smooth as possible.
Unsure where to begin? The National Institute of Standards and Technology (NIST) published a great framework to help prod you in the right direction. But don’t be afraid to stray from conventional training methods. In my experience, these seem to be more effective than not.
At the end of the day, you must do whatever you can to educate employees about security risks. Failing to do so means leaving cracks in your first line of defense against cyberthreats — cracks that will only become harder to patch up as the threat landscape continues to rapidly evolve.