As cybersecurity experts often like to say, humans are the weakest link in an organization’s security. Technology can only go so far in protecting data and other assets, but the end users can always undo the best of defenses.
“It’s a common thought that everything would be better if users were perfect,” Alex Stamos, at the time Facebook’s chief security officer, acknowledged in his Black Hat conference keynote speech in 2017.
Stamos added that it was not only dangerous to shift responsibility to users, but that users need safety nets.
“This modern world of technology is full of tight ropes and for the most part, we have not put any safety nets under those tight ropes,” he said.
While Stamos was addressing developers and white hats, this idea applies to companies. One of the best safety nets that organizations themselves can create is a user-awareness training program. Strong security takes a combination of technology, processes and people, and a security-awareness training program helps strengthen the people component of this strategy.
Successful security-awareness training programs have many elements in common. Here are some of the top ones.
Board and C-Suite Buy-In
A 2017 survey by global consulting firm Protivity found that high-performing security programs are distinguished by having a board that understands and is engaged with security risks. Protivity found that engagement and understanding has increased compared to 2015.
Part of the increased engagement may be due to the growing intensity of data-breach incidents and ransomware attacks like WannaCry. Every high-profile attack and news headline help increase the level of board and C-suite security awareness.
But without an understanding of how the human factor plays a role in security, organizations may be putting all their eggs in the technology basket — especially those organizations that are still building their awareness-training programs. Leaders need to understand the human role in security awareness. Having adequate leadership support helps not only with resource allocation for security programs, but also assists with two other elements of a strong awareness program: the creation of a security culture and collaboration with other departments.
The awareness program is likely to be developed by the IT department, or perhaps Risk or Compliance, but implementation needs partners in other departments. Partners could help with a couple of key needs: delivery (in the case of live, in-person sessions) and dissemination. Some examples:
- The Human Resources department could help create policies that make the training mandatory, as well as track participation
- The communication director or another professional communicator could be recruited to deliver the training (after themselves being trained first)
- If the compliance department has a newsletter, a partnership with the compliance department could be used to distribute security-awareness content
Diversity of Tools
Long PowerPoint presentations are a thing of the past — at least when it comes to awareness training. Having employees stuck in their seats for 45 minutes listening to someone talk the entire time doesn’t create an engaged audience that will retain the material. (There’s even a special name for this problem: “Death by PowerPoint.”)
The best programs avoid this issue by using a variety of delivery methods, from video to interactive online modules and simulated phishing attacks. Even a 45-minute live, in-person session can become much more stimulating and engaging when it mixes a short presentation with other tools. This helps with different learning styles. Even better, interactive as well as hands-on learning improves retention.
Some companies are also experimenting with gamification, which applies gaming principles to solving various business problems. Gamification reinforces positive security behaviors in a much more engaging, immersive and entertaining way
The program needs to focus on the topics that will help users change their behaviors. Some common ones that apply to any sector include:
Since almost every successful cyberattack or data breach begins with social engineering, employees at every level, all the way up to leadership, need to be trained on the most common social-engineering techniques.
As the most frequently-used form of social engineering, phishing (typically via email) is responsible for common incidents like business email compromise and direct- deposit schemes, so it’s imperative to talk about phishing on a regular basis.
With today’s mobile workforce, many employees get work done on the go. And they don’t think twice about connecting their laptop or phone to a Wi-Fi network at a coffee shop, putting their work data at risk.
If employees are given information that they can’t relate to or don’t find relevant, they’re going to tune out any type of presentation. In the context of security, one way to make the training relevant is by connecting it to their personal lives. Many of the security lessons can be applied to their home and family life as much as work, and by connecting the dots, they’re more likely to be aware of how their behavior makes a difference in either environment.
Another way to make training relatable is by borrowing techniques from entertainers, like telling stories. Take a look at almost any commercial and you may realize why salespeople and marketers use stories. Neuroscience has proven that storytelling helps human relate and compels them to act.
Humor is another way to make content relatable, and it doesn’t hurt to sprinkle humor into a security presentation. To see the impact humor can have, check out the story of the marketing phenomenon created by the Metro Trains agency in Melbourne, Australia. The agency’s three-minute animated video, “Dumb Ways to Die,” took a topic as seemingly boring as commuter train safety to a YouTube viewership of more than 169 million (as of August 2018). And more importantly, the agency saw a decrease in safety-related incidents.
Consistency and Metrics
Cognitive neuroscientists believe that it may take as many as six exposures to a piece of information before it is permanently memorized. That is to say, a successful awareness program is not a one-time activity, nor is it a once-a-year activity. It needs a regular, ongoing schedule that includes different types of activities delivered at appropriate intervals — some may be monthly, others quarterly or annually.
- Monthly emails from the IT team with refreshers on good cyberhygiene
- Semi-yearly online trainings
- An annual, “all hands on deck” company-wide session
Additionally, the impact and the effectiveness of the program and the various campaigns need to be measured. Some ways to do that include tracking simulated-phishing click rates before and after a module on email phishing, measuring participation in a gamified program, and so on.
As Dr. Kelly Caine of Clemson University’s School of Computing said during the 2017 Infosecurity North America Conference, “It’s actually executives, managers, system administrators, designers and coders — rather than users — that are the weak links in information security.”
A strong security culture starts at the top, but it also fosters the belief that security is everyone’s problem and responsibility. When the culture says that security belongs to everybody, the IT department no longer is fighting the battle solo.
To launch a program, start by assessing the needs and then begin creating the content. There are numerous online tools available, including free ones, so there’s no need to reinvent the wheel. The program, however, needs to be custom-tailored to each organization’s unique case, as well as the sector the organization operates in. When it comes to security, you can never be too prepared.
Managing the Crown Jewels and Other Critical Data, Protiviti Inc.
Ten Recommendations for Security Awareness Programs, Government Technology magazine
Black Hat USA 2017, Las Vegas, Nevada, July 2017