For most corporate denizens, security training is an unpleasant but necessary evil, but does it have to be? Not according to Kris Martel, CISO of Imagine IT, who uses a highly interactive approach to create an engaging, entertaining learning environment that makes security meaningful and interesting to the average employee.
Speaking at Infosecurity ISACA North America Expo and Conference in New York, Martel shared some of the things he uses in his trainings to help improve security awareness and compliance, and have employees eagerly awaiting their next session.
“Cyber awareness training must change audience perception by making it [security] relevant to the organization or the individuals you’re teaching,” said Martel. “The way to do that is to make it engaging, interactive and fun – and unpredictable,” he added. One of the ways he engages employees is to teach them real-world hacking skills, including how to craft effective phishing attacks, helping them learn who has their Facebook login and taking them on guided tours of the Dark Web. Whenever possible, Martel finds ways to reward participation with small but popular tokens such as preferred parking spots, movie tickets and, in some cases, internal cryptocurrency.
Martel has developed a fun, and effective way to deal with experienced cyber-workers who don’t take the training seriously because they believe they are too smart to be hacked by offering them a friendly challenge. After a co-worker accepts the challenge, he begins a surveillance phase which, depending on how good his opponent is, can last anywhere from a few days to a few months. In one case, with an especially cyber-savvy individual, his usual hunt within social media, inquiries with co-workers, and other tactics failed to produce anything. Even though they had effectively hosted themselves, including paying a service to erase their profile from the internet, he did find evidence of their activity on Amazon which enabled him to craft a phishing attack that eventually proved effective in gaining his ‘victim’s’ credentials. Although it took four months to execute, Martel felt it was worth it after the employee agreed to go to training and he got a good story out of it to share with his colleagues.
Here are a few of Martel’s key takeaways:
- Interactive training keeps people engaged
- If possible, teach the class to hack as part of the training to make what they are learning meaningful
- Incentivize employees to report phishing with contests and recognition
- Make monthly training fun. One way to do this is to fill part of the session with short presentations developed by your students
Applying these tactics helped Martel stimulate a 70% increase in reporting of phishing attacks, a 45% reduction in the success rate of phishing attacks, and a 94% positive rating on his course feedback surveys. “I knew things had changed when people started asking me when the next security training session was going to be held,” he concluded.
How to make security awareness training more effective and engaging
For most corporate denizens, security training is an unpleasant but necessary evil, but does it have to be? Not according to Kris Martel, CISO of Imagine IT, who uses a highly interactive approach to create an engaging, entertaining learning environment that makes security meaningful and interesting to the average employee.
Speaking at Infosecurity ISACA North America Expo and Conference in New York, Martel shared some of the things he uses in his trainings to help improve security awareness and compliance, and have employees eagerly awaiting their next session.
“Cyber awareness training must change audience perception by making it [security] relevant to the organization or the individuals you’re teaching,” said Martel. “The way to do that is to make it engaging, interactive and fun – and unpredictable,” he added. One of the ways he engages employees is to teach them real-world hacking skills, including how to craft effective phishing attacks, helping them learn who has their Facebook login and taking them on guided tours of the Dark Web. Whenever possible, Martel finds ways to reward participation with small but popular tokens such as preferred parking spots, movie tickets and, in some cases, internal cryptocurrency.
Martel has developed a fun, and effective way to deal with experienced cyber-workers who don’t take the training seriously because they believe they are too smart to be hacked by offering them a friendly challenge. After a co-worker accepts the challenge, he begins a surveillance phase which, depending on how good his opponent is, can last anywhere from a few days to a few months. In one case, with an especially cyber-savvy individual, his usual hunt within social media, inquiries with co-workers, and other tactics failed to produce anything. Even though they had effectively hosted themselves, including paying a service to erase their profile from the internet, he did find evidence of their activity on Amazon which enabled him to craft a phishing attack that eventually proved effective in gaining his ‘victim’s’ credentials. Although it took four months to execute, Martel felt it was worth it after the employee agreed to go to training and he got a good story out of it to share with his colleagues.
Here are a few of Martel’s key takeaways:
- Interactive training keeps people engaged
- If possible, teach the class to hack as part of the training to make what they are learning meaningful
- Incentivize employees to report phishing with contests and recognition
- Make monthly training fun. One way to do this is to fill part of the session with short presentations developed by your students
Applying these tactics helped Martel stimulate a 70% increase in reporting of phishing attacks, a 45% reduction in the success rate of phishing attacks, and a 94% positive rating on his course feedback surveys. “I knew things had changed when people started asking me when the next security training session was going to be held,” he concluded.