Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

12/17/2019
11:40 AM
Dennis Dillman
Dennis Dillman
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Don't Make Security Training a 'One-and-Done'

How to move beyond one-off campaigns and build a true security awareness program.

Employee training plays a role in cybersecurity that is just as important as any technology. 

Too often, however, that training is approached as a one-off security campaign. Once the training activities are checked off the to-do list, they're likely forgotten by both administrators and employees.

But security awareness isn't a one-and-done problem. To address the expanding number of cybersecurity threats, companies need a comprehensive security awareness training program. The program should be well-designed and built to solve the company's most pressing security problems. Creating a plan begins with a few critical steps:

  • Identify the essential security topics facing the organization.
  • Determine what type of information can best educate users about those topics.
  • Map out the security program, and determine the timing of each security campaign.
  • Create campaigns that build on each other.
  • If there is redundancy in the program, make sure it's intentional, as part of a plan to retest end users on what they learned in previous campaigns.

How a Fortune 500 Company Revamped Its Approach
A Fortune 500 company we work with recently saw significant improvements in the results of its security awareness program after rethinking its approach. The company's security awareness program is built around a cybersecurity ambassadors program, which worked with roughly 100 volunteers who helped spread the message about security awareness to their team or office. But that wasn't enough. 

"What I was finding [is that] people are busy with their workloads, so security is the last thing on their mind," explains one member of the company's security awareness team. "To make the cybersecurity ambassadors program really successful, we needed to look at it as managing people."

To take the program to the next level, the security awareness team changed the way it engaged with the ambassadors, increasing communication from monthly to weekly, keeping messages fun and attention-grabbing, and sharing intel and insights that make the group feel like insiders. The team also started giving ambassadors more opportunities to take the lead on security awareness projects and customize what works best for their team or location. These changes improved morale and got the ambassadors more invested in the program. 

The change in approach paid off. The organization went from a 42% click rate on simulated phishing attacks in March 2018 to just 5% by the end of the third quarter that year. 

The company also expanded its security awareness computer-based training program and increased the frequency of simulated phishing attacks. Initially, team members were only phishing half of the company's population every other month. But they stepped that up in early 2018 to include all employees and started sending simulated attacks on a monthly basis.   

Team members say these changes helped them focus on repeat clickers because they were able to identify those individuals more quickly, increase their training, and work with them to improve. Once they started sending simulated phishing attacks more frequently, they also increased communication about reporting suspicious emails, and the combination was effective. Reporting to the incident department went from a 20% report rate to 68%. 

How Computer-Based Training Can Help
One reason that companies scramble to throw together one-off security campaigns at the expense of creating a valid program is that gathering and distributing the material and performing the testing takes time. If the program and specific campaigns aren't planned ahead of time, administrators wind up reinventing the wheel every few months when it's time for the next campaign. 

With the advent of security awareness computer-based training solutions, it's possible to largely automate the creation and initiation of multiple security awareness campaigns. The programs are customizable, and administrators can choose from a variety of simulation templates, landing pages, risk assessment surveys, and other content, making it easier for program administrators to schedule related campaigns with recommended content, each component building on the previous one. Campaigns begin and end at specified intervals, and managers receive an email with their results report.

Building a Risk Profile
Having access to performance data from the campaigns is critical because it creates a two-way flow of information. Users must be aware of the security threats they face, and administrators need visibility into the risks the company faces from employees. An awareness program should provide data from each campaign that administrators can use to direct future training and education efforts.

That data shouldn't just include what each user did, but also a snapshot of the state of their equipment and software. If users click on a risky link, they might also have other poor tech habits, such as having browsers or operating systems that need updating, old plug-ins, or unregistered software on their devices. The reports should also include IP address information so that an administrator can tell if employees are accessing confidential data on public Wi-Fi networks or not using a required VPN.

Having that data helps administrators make better assessments and gain a clear picture of the average risk profile among users. This is essential to building an accurate risk profile for the organization, so that administrators can then take the appropriate steps to address any problems or weak spots. Once the risk profile is established, it could mean more training, coaching, or even an investment in new software or hardware to ensure everything is up to date.

That is the value of having a comprehensive security awareness training program versus a one-off campaign. Administrators can use the information they gather during each campaign to help improve the overall security awareness training initiative.

Security awareness computer-based training solutions give administrators the ability to quickly build programs from an existing library and automate data collection and reporting, which makes it easier for companies to run a professional, well-designed program without unnecessary effort. Ultimately, this allows administrators to spend more time dealing with risky employee behavior and addressing the underlying security issues that create those vulnerabilities.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Disarming Disinformation."

Dennis Dillman is the VP of Security Awareness at Barracuda Networks. In his role at Barracuda PhishLine, Dennis has been responsible for the rollout of an entirely new training program that is now integrated with the PhishLine platform. He has also worked with Fortune 100 ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Elephant man
50%
50%
Elephant man,
User Rank: Apprentice
12/19/2019 | 8:16:13 AM
Phishing Awareness warrants a dedicated Fully Managed Solution
Well written and insightful article on overall user awareness. However, this is really geared towards big Fortune 500 corporations with huge security teams and budgets. But for the rest of the world with a limited budget and resources there needs to be a better and more affordable approach specifically geared towards phishing as a problem.

Phishing alone is growing so rapidly in volume and sophistication that it requires a dedicated 'Phishing Awareness" approach. I am seeing a huge jump by industry into the phishing simulation market. It seems that everyone is offering a platform to run phishing campaigns now. Businesses offering this love the licensing/Subscription model where you supply a COTS tool to the client and they have to run everything themselves. It is favorable to business because this model is scalable to meet the demand created by sales/marketing and it also creates a sellable asset for the company. The problem lies in the fact that these companies then become sales organizations - not Value providers.

With Phishing Awareness specifically this model is extremely flawed. The gap between the levels of sophistication of real attacks versus what an administrator working with tools can manage is huge and growing rapidly. Add to this the attempts to educate employees with 10 different "security awareness" topics and you just confuse people with rocket scientology. I saw one marketing campaign recently where the provider is flaunting 500+ training modules,videos and games. What the hell do you do with that as an administrator? 

The industry knows this and some will claim that the Phishing simulations are merely a tool to gather metrics on the overall security awareness effort. Look, Phishing is a big enough problem in itself that it warrants a dedicated fully managed and coordinated program by a provider with experience. Experience in creating a coordinated series of phishing campaigns that ensures that the gathered metrics are comparing apples to apples. And that these metrics come from a methodology that guarantees results. This is not easy by any stretch. Giving someone a tool with a thousand simulations that vary from ridiculously easy to 'moderately' difficult is not enough. You need a managed service with simulations that are customized to your organization and range from easy to extremely difficult. This can't be done by an inexperienced administrator playing with an overwhelming platform.

Here is the big secret....I can tell you first hand that a well coordinated and fully managed program matched to an organizations culture and needs can reduce the click rate by over 90% with simulations alone - in one year. Add a Phishing training module to address the identified weak links (clickers) and you can drive continuous improvement....no rocket scientology needed. If you are looking to adress Phishing specifically then don't play into the hands of businesses trying to sell you a tool you have to put at least one dedicated salaried admin on who then has to spend a year learning the hard way with poorly chosen campaigns.
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8818
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore...
CVE-2020-8819
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass ...
CVE-2020-9385
PUBLISHED: 2020-02-25
A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
CVE-2020-9382
PUBLISHED: 2020-02-24
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
CVE-2020-1938
PUBLISHED: 2020-02-24
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...