Employees are often still the weakest link in an organization’s cyber defense setup, and the first target for cyber-criminals trying to enter a company network.
Nobody is safe from human error – but making sure employees are aware and prepared is an important first step towards better security. Unfortunately, the security training delivered in many companies is simply inadequate.
Why? Well, fundamentally, security awareness training is behavior training: the goal is to make employees more informed about security threats, more skeptical of what they receive via emails or other channels, and less likely to commit damaging behaviors such as clicking on malicious links in email, oversharing on social media, or believing requests delivered through digital channels without first verifying them; but all too often, the training is too infrequent, irrelevant, or boring to actually change users’ behavior. They may be more aware, but they still don’t care.
Here are a few best practices that organizations should consider when developing an effective training program for their employees.
Security must be a board-level issue
Security and security awareness training must have board-level support, or it won’t get the attention it deserves. A board of directors that takes security seriously and gives it enough priority – and funding – will go a long way toward bolstering the security training in an organization.
From the top down, there should be a corporate culture in which the importance of security is understood and valued, across all levels and business areas.
Training should cover all bases
Security awareness training usually starts with the low-hanging fruit: common threats such as mass-emailed phishing attempts that purport to be from the employee’s banks or from the corporate IT administrator, but it shouldn’t stop there.
Less common but often successful threat vectors include spear phishing aimed at specific users, and targeting employees who have overshared information on social media. The more a hacker knows about the user’s family, personal history, favorite restaurants, or travel, the easier he will find it to guess passwords or craft messaging that will trick the user into sharing login and other sensitive details.
In parallel with the training, it’s important to establish an appropriate backchannel that employees can use to check on suspicious requests and emails. For example, a CFO who receives a request from the CEO to make a wire transfer, particularly under unusual circumstances, should have a quick and easy method for verifying that request, independently of the channel it came from.
Training must be frequent, and rightsized
Many organizations only train employees once a year, or when they first join. Regular but targeted sessions are the key to effective training. Some users – especially higher value targets such as the CFO or senior executives – will require extra awareness training, as they are more likely to be at the receiving end of sophisticated spear phishing campaigns. Phishing and other awareness tests are essential to evaluate the effectiveness of the training and identify any gaps, but they must be truly random, or they will not give a true picture of how vigilant staff really are. Any employee who fails a phishing test should be given additional, context-sensitive training with an eye to addressing the deficiencies uncovered in the test.
Focus on behavioral change
As noted above, security awareness training is really about modifying user behavior: helping employees to be more skeptical and less gullible when faced with a cyber-criminals’ attempts to fool them, more careful about opening links and attachments, more vigilant about verifying the true senders of emails, and making them less likely to share personal information that could be used to create customized phishing emails.
Careless or badly informed employees have the dangerous potential of undermining the defenses provided by the organization’s security infrastructure, and exposing the organization to the risk of a data breach. Ultimately, the goal of any training must be to stop this from happening.
Conclusion
The only answer to the fast changing cyber threat landscape is a layered security strategy. Technology-based solutions play a critical role in it, but so does a solid security awareness program. Done well, it can provide a backstop for those situations where malicious content manages to pass through the technology layers of firewalls, spam filters and anti-virus solutions. When this happens, users with good security awareness can provide that extra, last layer of defense.
However, while every organization should take security training seriously, the training provided must also be fun – or at least, enjoyable and engaging. If not, employees will resist, ignore it, and the learning effect will be zero.
Gamification can help, but is not essential. Equally, organizations should not punish their employee’s mistakes, whether during simulated phishing testing or in real-life scenarios. If employees are not allowed to make mistakes and openly share their experience with security teams and peers, they won’t cooperate in the overall security process.
That said, an employee who repeatedly opens malicious links and never learns may require more attention, but punishment should always be a last resort.