Employee training plays a role in cybersecurity that is just as important as any technology.
Too often, however, that training is approached as a one-off security campaign. Once the training activities are checked off the to-do list, they're likely forgotten by both administrators and employees.
But security awareness isn't a one-and-done problem. To address the expanding number of cybersecurity threats, companies need a comprehensive security awareness training program. The program should be well-designed and built to solve the company's most pressing security problems. Creating a plan begins with a few critical steps:
- Identify the essential security topics facing the organization.
- Determine what type of information can best educate users about those topics.
- Map out the security program, and determine the timing of each security campaign.
- Create campaigns that build on each other.
- If there is redundancy in the program, make sure it's intentional, as part of a plan to retest end users on what they learned in previous campaigns.
How a Fortune 500 Company Revamped Its Approach
A Fortune 500 company we work with recently saw significant improvements in the results of its security awareness program after rethinking its approach. The company's security awareness program is built around a cybersecurity ambassadors program, which worked with roughly 100 volunteers who helped spread the message about security awareness to their team or office. But that wasn't enough.
"What I was finding [is that] people are busy with their workloads, so security is the last thing on their mind," explains one member of the company's security awareness team. "To make the cybersecurity ambassadors program really successful, we needed to look at it as managing people."
To take the program to the next level, the security awareness team changed the way it engaged with the ambassadors, increasing communication from monthly to weekly, keeping messages fun and attention-grabbing, and sharing intel and insights that make the group feel like insiders. The team also started giving ambassadors more opportunities to take the lead on security awareness projects and customize what works best for their team or location. These changes improved morale and got the ambassadors more invested in the program.
The change in approach paid off. The organization went from a 42% click rate on simulated phishing attacks in March 2018 to just 5% by the end of the third quarter that year.
The company also expanded its security awareness computer-based training program and increased the frequency of simulated phishing attacks. Initially, team members were only phishing half of the company's population every other month. But they stepped that up in early 2018 to include all employees and started sending simulated attacks on a monthly basis.
Team members say these changes helped them focus on repeat clickers because they were able to identify those individuals more quickly, increase their training, and work with them to improve. Once they started sending simulated phishing attacks more frequently, they also increased communication about reporting suspicious emails, and the combination was effective. Reporting to the incident department went from a 20% report rate to 68%.
How Computer-Based Training Can Help
One reason that companies scramble to throw together one-off security campaigns at the expense of creating a valid program is that gathering and distributing the material and performing the testing takes time. If the program and specific campaigns aren't planned ahead of time, administrators wind up reinventing the wheel every few months when it's time for the next campaign.
With the advent of security awareness computer-based training solutions, it's possible to largely automate the creation and initiation of multiple security awareness campaigns. The programs are customizable, and administrators can choose from a variety of simulation templates, landing pages, risk assessment surveys, and other content, making it easier for program administrators to schedule related campaigns with recommended content, each component building on the previous one. Campaigns begin and end at specified intervals, and managers receive an email with their results report.
Building a Risk Profile
Having access to performance data from the campaigns is critical because it creates a two-way flow of information. Users must be aware of the security threats they face, and administrators need visibility into the risks the company faces from employees. An awareness program should provide data from each campaign that administrators can use to direct future training and education efforts.
That data shouldn't just include what each user did, but also a snapshot of the state of their equipment and software. If users click on a risky link, they might also have other poor tech habits, such as having browsers or operating systems that need updating, old plug-ins, or unregistered software on their devices. The reports should also include IP address information so that an administrator can tell if employees are accessing confidential data on public Wi-Fi networks or not using a required VPN.
Having that data helps administrators make better assessments and gain a clear picture of the average risk profile among users. This is essential to building an accurate risk profile for the organization, so that administrators can then take the appropriate steps to address any problems or weak spots. Once the risk profile is established, it could mean more training, coaching, or even an investment in new software or hardware to ensure everything is up to date.
That is the value of having a comprehensive security awareness training program versus a one-off campaign. Administrators can use the information they gather during each campaign to help improve the overall security awareness training initiative.
Security awareness computer-based training solutions give administrators the ability to quickly build programs from an existing library and automate data collection and reporting, which makes it easier for companies to run a professional, well-designed program without unnecessary effort. Ultimately, this allows administrators to spend more time dealing with risky employee behavior and addressing the underlying security issues that create those vulnerabilities.