Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

11:40 AM
Dennis Dillman
Dennis Dillman
Connect Directly
E-Mail vvv

Don't Make Security Training a 'One-and-Done'

How to move beyond one-off campaigns and build a true security awareness program.

Employee training plays a role in cybersecurity that is just as important as any technology. 

Too often, however, that training is approached as a one-off security campaign. Once the training activities are checked off the to-do list, they're likely forgotten by both administrators and employees.

But security awareness isn't a one-and-done problem. To address the expanding number of cybersecurity threats, companies need a comprehensive security awareness training program. The program should be well-designed and built to solve the company's most pressing security problems. Creating a plan begins with a few critical steps:

  • Identify the essential security topics facing the organization.
  • Determine what type of information can best educate users about those topics.
  • Map out the security program, and determine the timing of each security campaign.
  • Create campaigns that build on each other.
  • If there is redundancy in the program, make sure it's intentional, as part of a plan to retest end users on what they learned in previous campaigns.

How a Fortune 500 Company Revamped Its Approach
A Fortune 500 company we work with recently saw significant improvements in the results of its security awareness program after rethinking its approach. The company's security awareness program is built around a cybersecurity ambassadors program, which worked with roughly 100 volunteers who helped spread the message about security awareness to their team or office. But that wasn't enough. 

"What I was finding [is that] people are busy with their workloads, so security is the last thing on their mind," explains one member of the company's security awareness team. "To make the cybersecurity ambassadors program really successful, we needed to look at it as managing people."

To take the program to the next level, the security awareness team changed the way it engaged with the ambassadors, increasing communication from monthly to weekly, keeping messages fun and attention-grabbing, and sharing intel and insights that make the group feel like insiders. The team also started giving ambassadors more opportunities to take the lead on security awareness projects and customize what works best for their team or location. These changes improved morale and got the ambassadors more invested in the program. 

The change in approach paid off. The organization went from a 42% click rate on simulated phishing attacks in March 2018 to just 5% by the end of the third quarter that year. 

The company also expanded its security awareness computer-based training program and increased the frequency of simulated phishing attacks. Initially, team members were only phishing half of the company's population every other month. But they stepped that up in early 2018 to include all employees and started sending simulated attacks on a monthly basis.   

Team members say these changes helped them focus on repeat clickers because they were able to identify those individuals more quickly, increase their training, and work with them to improve. Once they started sending simulated phishing attacks more frequently, they also increased communication about reporting suspicious emails, and the combination was effective. Reporting to the incident department went from a 20% report rate to 68%. 

How Computer-Based Training Can Help
One reason that companies scramble to throw together one-off security campaigns at the expense of creating a valid program is that gathering and distributing the material and performing the testing takes time. If the program and specific campaigns aren't planned ahead of time, administrators wind up reinventing the wheel every few months when it's time for the next campaign. 

With the advent of security awareness computer-based training solutions, it's possible to largely automate the creation and initiation of multiple security awareness campaigns. The programs are customizable, and administrators can choose from a variety of simulation templates, landing pages, risk assessment surveys, and other content, making it easier for program administrators to schedule related campaigns with recommended content, each component building on the previous one. Campaigns begin and end at specified intervals, and managers receive an email with their results report.

Building a Risk Profile
Having access to performance data from the campaigns is critical because it creates a two-way flow of information. Users must be aware of the security threats they face, and administrators need visibility into the risks the company faces from employees. An awareness program should provide data from each campaign that administrators can use to direct future training and education efforts.

That data shouldn't just include what each user did, but also a snapshot of the state of their equipment and software. If users click on a risky link, they might also have other poor tech habits, such as having browsers or operating systems that need updating, old plug-ins, or unregistered software on their devices. The reports should also include IP address information so that an administrator can tell if employees are accessing confidential data on public Wi-Fi networks or not using a required VPN.

Having that data helps administrators make better assessments and gain a clear picture of the average risk profile among users. This is essential to building an accurate risk profile for the organization, so that administrators can then take the appropriate steps to address any problems or weak spots. Once the risk profile is established, it could mean more training, coaching, or even an investment in new software or hardware to ensure everything is up to date.

That is the value of having a comprehensive security awareness training program versus a one-off campaign. Administrators can use the information they gather during each campaign to help improve the overall security awareness training initiative.

Security awareness computer-based training solutions give administrators the ability to quickly build programs from an existing library and automate data collection and reporting, which makes it easier for companies to run a professional, well-designed program without unnecessary effort. Ultimately, this allows administrators to spend more time dealing with risky employee behavior and addressing the underlying security issues that create those vulnerabilities.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Disarming Disinformation."

Dennis Dillman is the VP of Security Awareness at Barracuda Networks. In his role at Barracuda PhishLine, Dennis has been responsible for the rollout of an entirely new training program that is now integrated with the PhishLine platform. He has also worked with Fortune 100 ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Elephant man
Elephant man,
User Rank: Apprentice
12/19/2019 | 8:16:13 AM
Phishing Awareness warrants a dedicated Fully Managed Solution
Well written and insightful article on overall user awareness. However, this is really geared towards big Fortune 500 corporations with huge security teams and budgets. But for the rest of the world with a limited budget and resources there needs to be a better and more affordable approach specifically geared towards phishing as a problem.

Phishing alone is growing so rapidly in volume and sophistication that it requires a dedicated 'Phishing Awareness" approach. I am seeing a huge jump by industry into the phishing simulation market. It seems that everyone is offering a platform to run phishing campaigns now. Businesses offering this love the licensing/Subscription model where you supply a COTS tool to the client and they have to run everything themselves. It is favorable to business because this model is scalable to meet the demand created by sales/marketing and it also creates a sellable asset for the company. The problem lies in the fact that these companies then become sales organizations - not Value providers.

With Phishing Awareness specifically this model is extremely flawed. The gap between the levels of sophistication of real attacks versus what an administrator working with tools can manage is huge and growing rapidly. Add to this the attempts to educate employees with 10 different "security awareness" topics and you just confuse people with rocket scientology. I saw one marketing campaign recently where the provider is flaunting 500+ training modules,videos and games. What the hell do you do with that as an administrator? 

The industry knows this and some will claim that the Phishing simulations are merely a tool to gather metrics on the overall security awareness effort. Look, Phishing is a big enough problem in itself that it warrants a dedicated fully managed and coordinated program by a provider with experience. Experience in creating a coordinated series of phishing campaigns that ensures that the gathered metrics are comparing apples to apples. And that these metrics come from a methodology that guarantees results. This is not easy by any stretch. Giving someone a tool with a thousand simulations that vary from ridiculously easy to 'moderately' difficult is not enough. You need a managed service with simulations that are customized to your organization and range from easy to extremely difficult. This can't be done by an inexperienced administrator playing with an overwhelming platform.

Here is the big secret....I can tell you first hand that a well coordinated and fully managed program matched to an organizations culture and needs can reduce the click rate by over 90% with simulations alone - in one year. Add a Phishing training module to address the identified weak links (clickers) and you can drive continuous improvement....no rocket scientology needed. If you are looking to adress Phishing specifically then don't play into the hands of businesses trying to sell you a tool you have to put at least one dedicated salaried admin on who then has to spend a year learning the hard way with poorly chosen campaigns.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.