Before launching into the content of her talk, Enterprise Security Awareness Programs That Work, at the 2018 (ISC)2 Security Congress, Theresa Frommel, acting deputy CISO for the state of Missouri, confronted the elephant in the room, asking the audience, “How many of you are nonbelievers?”
When asked whether their programs were delivered only annually, many in the room mumbled yes. Frommel also received affirmation from the audience when she asked, “Most of you are not doing repetitive monthly trainings?”
Many organizations still don’t understand why security awareness training programs matter when they don’t see significant improvements in end user behavior, but Frommel said behaviors can change.
Missouri consists of 600 municipalities comprising 114 counties that broken into 30 state agencies across all legislative and judicial branches. Of the 40,000 employees, the state boasts 950 IT staff of which 20 are in the office of cybersecurity.
Why do companies need effective security awareness programs? Primarily because, Frommel said, 90% of breaches are the result of phishing attacks.
"In the first quarter of 2018, phishing activity trends were up 46%. More than a third of phishing sites were hosted on sites with HTTPS and SSL certificates, and the number of sites hosting phishing pages rose from 60,000 at the beginning of 2018 to 113,000 in March,” Frommel said adding in a reminder that many of the high profile breaches in the past several years were the result of someone opening a phishing message.
That’s why an effective awareness program needs to understand human behavior, Frommel said. Phishing campaigns are successful because attackers hit the emotion of fear and uncertainty.
“Sometimes it’s hard to blame the user because they are thinking and asking, ‘Am expecting an attachment? Do I know this user?’ and the answer is yes,” Frommel said.
In advising the audience on how to mitigate the human risk, Frommel assured, “Human behavior can be changed. Make users another security control, not a security problem. Phishing is no different than any other swindle, but technology can only mitigate email risk to a point. Training should be frequent, brief, targeted and able to change people’s thought processes, which over time, changes the culture.”
Recognizing that technology is only going to go so far, it’s incumbent upon security practitioners to keep encouraging change and thought processes. As for Missouri, it has 40,000 interactive lessons deployed monthly that are 10-15 minutes in length with each lesson focusing on a different topic. Additionally, agencies compete against each other through gamification.
Part of successful programs requires that you are able to track results and ensure employee participation, but it’s also critical that you are able to recognize when the content has become stale and be able to adapt to find more engaging material, said Frommel.