Some of the least expensive but most effective investment you can make in security is on awareness training for your organisation. We’ll return to the cost later on, but let’s talk for a moment about the effectiveness, which also happens to be linked to why security awareness training is needed in the first place.
The 2016 Verizon Data Breach Investigations Report makes this abundantly clear: social engineering is still a huge attack vector for criminals and assorted bad guys to gain access to your systems, and it’s increasing. The report includes data about sanctioned phishing tests to check people’s security awareness, and it found that the intended targets opened phishing emails 30 per cent of the time – an increase on the previous year. So clearly, security has its work cut out to improve matters.
Many experts agree – and it was a topic of conversation at our Global Advisory Board meeting recently, that the key to good security awareness is to have a sustained campaign, not just one-eff initiatives. Don’t let it lapse. Culture change happens over time. In our experience, the key to good security awareness programmes is that they have to be comprehensive. One or two aspects on their own don’t tend to stick.
We’ve found a combination of e-learning and face to face workshops, ‘lunch and learn’ sessions, and simulated exercises can all help to test how people would react. Just relying on posters alone, or expecting face-to- face training for the board to percolate throughout the rest of the organisation, won’t work.
That being said, when it comes to creating the materials for your campaign, by all means use strong visuals like posters. These can be displayed prominently around your office or campus. Short, memorable headlines also help to grab people’s attention: ‘birthdays are bad passwords’ is one example. Using a repeated logo is a handy visual cue that can tie several security awareness initiatives together under one overall campaign.
These initiatives don’t necessarily have to cost very much, but they’re proven to be highly effective. One of the virtues of security awareness training being relatively cheap to do is that it’s repeatable. What’s more, it’s measurable: let’s say you send everyone in your organisation a test phishing email. The number of clicks lets you quickly see who has learned the lesson and who needs to take the training again. Criminals are always trying new approaches, so you can adjust your own campaigns to mimic real-world scams. The first test establishes a baseline for your security posture, and you track your progress from there.
You should also consider segmenting security awareness according to roles. Not everyone needs to get the same level of detail if it’s not applicable to their job. If you ran a logistics company, you wouldn’t give health and safety training for driving forklifts to your admin team who sit at a desk all day. In the same vein, not everyone in your organisation may need to know about PCI DSS, or freedom of information policies.
In our most recent post, we looked at the big question of why work in security and what outcomes we hope to achieve. In a way, security awareness is a part of the same question: in most organisations, the interaction with the security function usually involves a slap on the wrist for doing something wrong, like clicking on a link in an unfamiliar email, or putting an unverified USB key into a laptop. Psychology tells us that there should be five positive interactions for every negative one if messages are to be effective. The goal to aim for is to instil a positive security culture so that people will do the right thing even when nobody’s looking.
Have you run security awareness training programmes? If so, what’s worked for you? We’d love to hear your thoughts.