Does your organization take security awareness seriously? Would your employees be able to defend against social engineering attacks? Is the effectiveness of your organizational security frequently tested? You should be answering a resounding “Yes” to all of these questions. If you answer “no” or “I don’t know” this may be a sign that your organization has serious security vulnerabilities. The following is a high level overview of important elements in an effective security awareness training and education program.
This should be pretty obvious but is nevertheless quite important. When creating a security awareness program, you need to garner the support of C-Level decision makers. How can you gain their support? Simple. Most CISOs, CIOs, CTOs, etc.… are experienced in information security and already know that the vast majority of security breaches are due to human error. Furthermore, having a security awareness training and education program in place is often a legal requirement. So if you come to them with a solid plan, solving issues and making their life easier, they should (hopefully) be quite receptive. Now that you have the executives involved, employees lower down the chain will likely follow suit.
Establish a Security Awareness Baseline
Establish a baseline by staging phishing attacks (of various types), testing employee awareness. The metrics gained on each employee will not only help to identify who is putting your organization at risk but also quantify the success of your security awareness program over time. When conducting your baseline, it is important to stage attacks of varying difficulty (Nigerian, Spear, etc…)
Security awareness training and education is steadily moving away from the binge training of the past. The problem with binge training as we all know and have most likely experienced, is that we are forced to memorize questions and answers for a test once a year (or longer) and then slowly forget about it. Nowadays, organizations develop SATE (security awareness training and education) programs to be ongoing and therefore significantly more effective.
Make Training Relatable
Demonstrate to employees how poor security practices can lead to harm not only for the organization but also to themselves, by clearly articulating the risk associated with specific actions. Keep the training short and to the point, teach users by using emotion when possible. Security awareness training should incorporate phish from real life attacks. By doing this you will know that your employees can fend off what is currently being used to attack other organizations in your industry. When you hear about a real attack currently targeting your industry – launch that attack against your users first before the bad guys do. Remember if you aren’t attacking your users then only the bad guys are.
Knowing specifically which individuals are putting your organization at risk is incredibly important. With this knowledge you will be able to give attention to the employees that need training and education the most, while minimizing disruption to those that behave securely. Furthermore, this metric can be of great value to management in decision making processes involving access and privileges. Any respectable Security Awareness Training and Education Program should at a minimum answer the following questions;
- Who are my high risk employees?
- Who are my most secure employees?
- Do I have any employees with high level access who are high risk?
You will use this data to create two types of secure reports. One that is a concise overview, which C-Level executives often prefer. The second report should be a more in depth version that shows details of how each employee is performing in various areas. Examples of metrics to maintain for each user, which help to continuously improve your SATE program include;
- Severity of Risk
- To What Types of Phish is Each User Most Susceptible
Ok, so this one is not absolutely necessary but is huge a plus if you can pull it off, with the metrics now in hand, the data can be used to enhance user learning significantly. Use metrics such as relapse frequency to indicate how often each employee should be training. User focus will tell you how long training should be and utilizing Phish Susceptibility Type can help you decide which type of phish will be most effective for training each employee.