Security is everybody’s job. But how do we get better at training awareness?
The conventional rule of thumb is that if you have a phishing click rate under 10%, that’s supposed to be pretty good. But if you’re a sizable organization and have a click rate of 10%, you still have a pretty big problem.
So it’s our job to figure out how to get our organizations better trained without overburdening employees to the point that they stop listening.
One key is to keep the messaging short.
The security awareness training that’s usually done once or twice a year lasts anywhere from 45 minutes to two hours. It’s something that needs to be done to make sure everyone in the organization is up to date on any annual changes.
For this broader messaging, I’ve found “lunch and learns” have been useful to bring employees from across the organization together, both to let them know basics about what the security team is doing, and what resources are available to them.
But there is also a need to get out brief messaging, whether monthly or quarterly, to address things that have been going on in the world, such as attacks, or geopolitical developments that could lead to nation-state hacking. These short and sweet messages are critical to get more distribution and increase the likelihood that employees are actually going to pay attention.
I’ve used entertaining, two-minute video snippets covering everything from not getting yourself shoulder-surfed at the airport, to why you shouldn’t be talking about business on your mobile, because you never know who’s in the seat behind you listening.
These mini-trainings should deliver relevant and actionable security tips. Other delivery mechanisms could include a quick email from the CISO on what’s going on in the security world. Whatever the format, I wouldn’t go over two minutes because you’re liable to lose your audience.
Getting the right frequency is also very important. Phishing simulations are crucial. But overphishing can be a counterproductive nuisance.
We need to get the right training to the right people, so one thing to consider is what level of knowledge do different groups of employees require. Privileged users, for example, should have a more formal knowledge assessment to make sure they understand what the potential threats or issues are with their having privileged access.
Another central factor is the tone at the top: If employees don’t see senior management living and setting the example, then training awareness is almost irrelevant. It doesn’t matter how many tools you have, if the senior execs don’t lead by example, it’s not going to be followed.
Companies might also consider having some kind of monitoring in place to follow potentially exposed credentials. If you’re doing any kind of dark web monitoring, whether in house or under contract with another firm, then if employee credentials are found outside the network, that could give you an idea of whether your company is rising as a potential attack vector.
It’s not enough, though, to put training awareness programs in place: We also need to find ways to gauge their effectiveness. We all report phishing metrics, but what other metrics should we be reporting? Proactive reporting on the part of employees would be a valuable addition.
Once these mini-trainings have been introduced, they may give you a better metric to say that risk scores have improved. Being able to measure the effectiveness of a training program will be a good tool when you report your team’s achievements to management.
And who knows, that might ultimately translate to your budget.