Posted under: Research and Analysis
In our last post, we explained the concept of Continuous Contextual Content as a means to optimize the effectiveness of the security awareness program. It’s the acknowledgment that users won’t get it, not at first anyway. So that means you need to reiterate the lessons over and over (and probably over) again. But when do you do that? Optimally when their receptivity is at a high, and that’s when they’ve made a mistake.
Ergo you determine the relative risk of the users and watch for specific actions or alerts. When you see this behavior, deliver the training within the context of what they see at that moment. But that’s not enough. You want to track the effectiveness of the training (and your security program) to get a sense of what works and what doesn’t. If you can’t close the loop on effectiveness, you have no idea if your efforts are working and how to continue improving the program.
To solidify the concepts, let’s work through a scenario that will allow us to go through the process step by step. Let’s say you work for a large enterprise in the financial industry. Senior management increasingly worries about ransomware and data leakage. A recent pen test showed the general security controls implemented are effective, but the phishing simulation part of the test showed over half of the employees clicked on a pretty obvious phish. And it’s a good thing the CIO has a good sense of humor since the pen tester got full access to his machine via a well crafted drive-by attack that would have worked against the entire senior team.
So your mission, should you choose to accept it is to implement a security awareness training for the company. Let’s go!
Start with Urgency
As mentioned, your company has a pretty well-established security program. So you can hit the ground running since a baseline of security data already exists. Next, identify the most significant risks and triage immediate action to start addressing the issues. Acting with urgency serves two purposes. It can give you a quick win, and we all know how important it is to show value immediately. As a secondary benefit, you can start to work on training the employees on a critical issue right away and start the process.
As your pen test showed, phishing creates the most problems for the organization, so that’s where you should focus your initial efforts. Given the high-level support for the program, you cajole the CEO into recording a video discussing the results of the phishing test and the importance of fixing the issue. Having a message like this makes sure everyone understands the urgency of addressing the problem and that the CEO will be watching.
Following that, every employee completes a series of 5 3-5 minute training videos walking them through the basics of email security with a required test at the end. Of course, it’s hard to get 100% participation on anything, so you’ve already established the consequences for those that choose not to complete the requirement. And those that have a hard time passing the test can get additional help from the security team.
It’s a balance between being overly heavy-handed, but also understanding the importance of training the users to defend themselves against email attacks. You also need to ensure the employees know about the ongoing testing program and that they’ll be periodically testing. That’s the continuous part of the approach. It’s not a one-time thing.
Introduce Contextual Training
As you execute on the initial phishing training effort, you also start to integrate the security awareness training platform with the existing email, web and DNS security services. This integration involves getting a trigger when an employee clicks on a phishing message, automatically signing them up and delivering a short (2 – 3 minute) refresher on email security. Of course, delivering contextual training requires flexibility because the employee may be in the middle of a critical task. But you set the expectation that the employee needs to complete the training that day.
Similarly, if the employee navigates to a known malicious site, the web security service sends a trigger, and the web security refresher runs for the employee. The key is to make sure the interruption is contextual and quick. The employee did this, so they have to get training immediately. Even a short delay will impact the effectiveness of the training.
Additionally, you’ll be doing ongoing training and simulations with the employees. You’ll do some analysis to pinpoint the employees that can’t seem to stop clicking on things. These employees can get more intensive training and potentially escalation if they continue to violate the corporate policies and put data at risk.
After the initial triage and integration with your security controls, you’ll work with the HR team to overhaul the training delivered during their on-boarding process. Remember that you are now continuously training the employees, so you don’t have to spend 3 hours teaching them about phishing and the hazards of clicking on some links.
Alternatively, the on-boarding shifts to focus on establishing a culture of security from Day 1. This involves educating new employees on the online and technology policies and acceptable use expectations. You also have an opportunity to set expectations for the security awareness training program. Make it clear employees will be tested on an ongoing basis and inform them of who sees the results (their managers, etc.), and also the consequences of violating the acceptable use policies.
Again, a fine line exists between being draconian and being clear about setting expectations. If the consequences have teeth (and they should), employees must know that and sign off that they understand. We also recommend you test each new employee within a month of their start date to ensure they comprehend the security expectations and have retained the initial lessons.
Start a Competition
As your program settles in over six months or so, it’s time to shake things up again. You can set up a competition, indicating the company will be competing for the Chairperson’s Security Prize. Yes, you need to get the Chairperson on board with this, but that’s usually pretty easy since it helps the company. The prize needs to be impactful and go beyond bragging rights. Maybe you can offer the winning department an extra day of holiday for the year. And a huge trophy. Teams love to compete for a trophy that they can display prominently in their area.
You’ll set the ground rules, which involve an internal red team and hunting team attacking each group. You’ll be tracking how many employees fall for the attacks and how many report the issues. Your team can try physically breaching the facilities as well. You want the attacks to dovetail with the ongoing security training and testing initiatives to reinforce the security culture.
Run another simulation
You’ll also want to stage a wide-spread simulation some months after the initial foray. Yes, you’ll be continuously testing the employees as part of the continuous nature of the program. But getting a sense of company-wide results is also helpful. You’ll want to compare the results of the initial test against the new test. Are fewer employees falling for the ruse? Are more reporting spammy and phishing emails to the central group? Ensuring the trend lines are moving the right direction give a push to the program and also justifies the ongoing investment. You feed the results into the team scoring of the competition.
Wash, Rinse, Repeat
At some point when another high profile issue will present, you should take a similar approach. Let’s say your organization does a lot of business in Europe and GDPR presents a significant risk for your organization. You’ll want to train the employees about how you define customer data and how to handle this sensitive data.
Next, you determine if you need to do a special training for the issue or whether you can integrate it into the bi-annual more extensive training that happens for all employees. Every six months the employees sit for maybe an hour and watch an update to both new tactics used by hackers, as well as any changes to the corporate security policies.
After the training completes, you roll out new tests to highlight how customer data could be lost or stolen. Factor these new tests into the competition as well to keep the focus on both the changing nature of security and also the ongoing contest.
Once the program is humming along, we suggest you pick a new high priority topic every six months and make that the focus of the semi-annual scheduled training. As part of staging this new topic, you’ll integrate with the relevant controls to enable ongoing contextual training and do an initial test (to set the baseline) and track improvement over time.
You’ll also want to do a more comprehensive set of reports that track the effectiveness of the awareness training and deliver this information to senior management (and perhaps the audit committee). Maybe each quarter you report on how many contextual training efforts employees received and if the employee made the same mistake after receiving the training. You’ll also want to report on the overall number of successful attacks and the trends of which attacks work and which get blocked. Being able to map those results back to the training topics makes an excellent case for ongoing investment in the program.
At some point, the competition will come to an end, and you’ll crown the winner. We suggest you make a big deal of the winning team. Maybe you can record the award ceremony with the Chairperson and send it out as part of the company-wide newsletter. You want to make sure all of the employees understand security is essential and visible at the highest echelons of the organization.
Understand it’s a journey, not a destination and ensure consistency in the implementation of the program. Add new focus topics to extend the knowledge of your employees, keep the content current and interesting over time, and hold your employees to a high standard making sure they understand the expectations and consequences for violating corporate policies. Building a security culture requires patience, persistence, and accountability. Anchoring your security awareness training program with continuous, contextual content will go a long way to establishing this security culture.
So with that, we’ll wrap up the Making an Impact with Security Awareness Training series. Thanks again to Mimecast for licensing the content, and we’ll have the assembled and edited paper available in the research library within a couple of weeks.
*** This is a Security Bloggers Network syndicated blog from Securosis Blog authored by firstname.lastname@example.org (Securosis). Read the original post at: http://securosis.com/blog/making-an-impact-with-security-awareness-training-quick-wins-and-sustained-impact