Role Based Security Awareness Training: Training Those Who Don’t Think They Need It
Security awareness training is essential for every person that has an email account and/or access to your company network. This can include everyone from the CEO to the receptionist; however, not everyone in the company needs the same type of training. Therefore, it’s important to configure your program around them, not the other way around. Here are a few ideas to consider for each level.
When it comes to educating the top executives about security, one of the main challenges may be time: these types of positions usually involve long hours and lots of meetings. With that in mind, training sessions should usually be short and to the point.
Another issue may a be a sense of invincibility, as in “this can’t happen to me.” In fact, C-Level executives are often specially targeted in scams sometimes known as “whaling” or Business Email Compromise (BEC). In these scenarios, the hackers often pose as a CEO and send a subordinate a request for a funds transfer, usually overseas. The unsuspecting subordinate, thinking the request is real, wires the funds. The FBI warned that it has seen a 270% increase of BEC scams in the last few years with more than $2.3 billion stolen.
For the IT department, security awareness training can (and should) be much more technical. Because it’s so important, there are more standardized training modules available that cover complex issues as well as protocol to follow in case of a breach. This is particularly true in government positions which must follow strict guidelines to not only identify threats but how to deal with potential breaches or security issues. (This is known as Risk Management Framework or RMF.)
The role of management in security awareness is one of enforcer as well as cheerleader. They must understand the different methods of security (such as using strong passwords) and be able to make sure they are implemented throughout the company. Management training therefore must cover not only the general security procedures but how to make sure everyone follows your lead.
Lower Level Staff
For the general staff, security awareness training should be easily understood. Usually short videos and testing, as well as regular educational updates can keep the entire team vigilant at all times. Programs can be longer than those at the executive level and should perhaps be more entertaining as to keep participants interested.
Simulations are Critical
The only way to truly test the effectiveness of your security training is by running regular unannounced drills. This can be in the form of simulated phishing emails sent to your entire staff; instead of a malicious link or attachment, however, they link to a web page which informs them of their error.
Phishing simulations can also be paired with real-world drills, which can test the protocols that have been put in place by IT. The success (or failure) of these drills will give you a good overall risk assessment which you can use to pinpoint any areas of weakness.
Introducing Security IQ
InfoSec Institute has created SecurityIQ, a new platform to help companies create role-based security awareness training as well as simulate phishing attempts. It’s comprised of AwareED, an educational tool, and PhishSIM, a phishing simulator.
AwareED has learning modules that include short, informative videos and tests; they are configurable according to role, such as management, new hires or telecommuters. Additionally, your own training modules can be created and integrated into our system. Staff are emailed enrollment instructions and the course is administered automatically. Progress can be viewed in the dashboard, and those who fail or don’t complete the tests can be required to take more training.
PhishSIM allows you to send multiple faux-phishing emails; you can use templates in our library or create your own. The idea is to test a number of different types of typical phishing messages (such as password reset requests, urgent wire transfer requests, and even free pizza offers) against your staff. These emails are put in a battery, which then make up a campaign. Over a specified period of hours, days, weeks, or months, these campaigns can be sent automatically. Any recipient that clicks on the link, instead of being hacked, they are referred to a custom web page where they are shown a short video about phishing.
SecurityIQ is constantly being updated with new modules and features. Recently, we added analytics features that will help you better understand vulnerabilities. Right now, InfoSec is offering a free 30-day Premium Membership which includes unlimited use of both AwareED and PhishSIM. Since security awareness is an ongoing effort, you’ll quickly realize how valuable these tools are in your regular training. Join today!