Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

11:40 AM
Dennis Dillman
Dennis Dillman
Connect Directly
E-Mail vvv

Don't Make Security Training a 'One-and-Done'

How to move beyond one-off campaigns and build a true security awareness program.

Employee training plays a role in cybersecurity that is just as important as any technology. 

Too often, however, that training is approached as a one-off security campaign. Once the training activities are checked off the to-do list, they're likely forgotten by both administrators and employees.

But security awareness isn't a one-and-done problem. To address the expanding number of cybersecurity threats, companies need a comprehensive security awareness training program. The program should be well-designed and built to solve the company's most pressing security problems. Creating a plan begins with a few critical steps:

  • Identify the essential security topics facing the organization.
  • Determine what type of information can best educate users about those topics.
  • Map out the security program, and determine the timing of each security campaign.
  • Create campaigns that build on each other.
  • If there is redundancy in the program, make sure it's intentional, as part of a plan to retest end users on what they learned in previous campaigns.

How a Fortune 500 Company Revamped Its Approach
A Fortune 500 company we work with recently saw significant improvements in the results of its security awareness program after rethinking its approach. The company's security awareness program is built around a cybersecurity ambassadors program, which worked with roughly 100 volunteers who helped spread the message about security awareness to their team or office. But that wasn't enough. 

"What I was finding [is that] people are busy with their workloads, so security is the last thing on their mind," explains one member of the company's security awareness team. "To make the cybersecurity ambassadors program really successful, we needed to look at it as managing people."

To take the program to the next level, the security awareness team changed the way it engaged with the ambassadors, increasing communication from monthly to weekly, keeping messages fun and attention-grabbing, and sharing intel and insights that make the group feel like insiders. The team also started giving ambassadors more opportunities to take the lead on security awareness projects and customize what works best for their team or location. These changes improved morale and got the ambassadors more invested in the program. 

The change in approach paid off. The organization went from a 42% click rate on simulated phishing attacks in March 2018 to just 5% by the end of the third quarter that year. 

The company also expanded its security awareness computer-based training program and increased the frequency of simulated phishing attacks. Initially, team members were only phishing half of the company's population every other month. But they stepped that up in early 2018 to include all employees and started sending simulated attacks on a monthly basis.   

Team members say these changes helped them focus on repeat clickers because they were able to identify those individuals more quickly, increase their training, and work with them to improve. Once they started sending simulated phishing attacks more frequently, they also increased communication about reporting suspicious emails, and the combination was effective. Reporting to the incident department went from a 20% report rate to 68%. 

How Computer-Based Training Can Help
One reason that companies scramble to throw together one-off security campaigns at the expense of creating a valid program is that gathering and distributing the material and performing the testing takes time. If the program and specific campaigns aren't planned ahead of time, administrators wind up reinventing the wheel every few months when it's time for the next campaign. 

With the advent of security awareness computer-based training solutions, it's possible to largely automate the creation and initiation of multiple security awareness campaigns. The programs are customizable, and administrators can choose from a variety of simulation templates, landing pages, risk assessment surveys, and other content, making it easier for program administrators to schedule related campaigns with recommended content, each component building on the previous one. Campaigns begin and end at specified intervals, and managers receive an email with their results report.

Building a Risk Profile
Having access to performance data from the campaigns is critical because it creates a two-way flow of information. Users must be aware of the security threats they face, and administrators need visibility into the risks the company faces from employees. An awareness program should provide data from each campaign that administrators can use to direct future training and education efforts.

That data shouldn't just include what each user did, but also a snapshot of the state of their equipment and software. If users click on a risky link, they might also have other poor tech habits, such as having browsers or operating systems that need updating, old plug-ins, or unregistered software on their devices. The reports should also include IP address information so that an administrator can tell if employees are accessing confidential data on public Wi-Fi networks or not using a required VPN.

Having that data helps administrators make better assessments and gain a clear picture of the average risk profile among users. This is essential to building an accurate risk profile for the organization, so that administrators can then take the appropriate steps to address any problems or weak spots. Once the risk profile is established, it could mean more training, coaching, or even an investment in new software or hardware to ensure everything is up to date.

That is the value of having a comprehensive security awareness training program versus a one-off campaign. Administrators can use the information they gather during each campaign to help improve the overall security awareness training initiative.

Security awareness computer-based training solutions give administrators the ability to quickly build programs from an existing library and automate data collection and reporting, which makes it easier for companies to run a professional, well-designed program without unnecessary effort. Ultimately, this allows administrators to spend more time dealing with risky employee behavior and addressing the underlying security issues that create those vulnerabilities.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Disarming Disinformation."

Dennis Dillman is the VP of Security Awareness at Barracuda Networks. In his role at Barracuda PhishLine, Dennis has been responsible for the rollout of an entirely new training program that is now integrated with the PhishLine platform. He has also worked with Fortune 100 ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Elephant man
Elephant man,
User Rank: Apprentice
12/19/2019 | 8:16:13 AM
Phishing Awareness warrants a dedicated Fully Managed Solution
Well written and insightful article on overall user awareness. However, this is really geared towards big Fortune 500 corporations with huge security teams and budgets. But for the rest of the world with a limited budget and resources there needs to be a better and more affordable approach specifically geared towards phishing as a problem.

Phishing alone is growing so rapidly in volume and sophistication that it requires a dedicated 'Phishing Awareness" approach. I am seeing a huge jump by industry into the phishing simulation market. It seems that everyone is offering a platform to run phishing campaigns now. Businesses offering this love the licensing/Subscription model where you supply a COTS tool to the client and they have to run everything themselves. It is favorable to business because this model is scalable to meet the demand created by sales/marketing and it also creates a sellable asset for the company. The problem lies in the fact that these companies then become sales organizations - not Value providers.

With Phishing Awareness specifically this model is extremely flawed. The gap between the levels of sophistication of real attacks versus what an administrator working with tools can manage is huge and growing rapidly. Add to this the attempts to educate employees with 10 different "security awareness" topics and you just confuse people with rocket scientology. I saw one marketing campaign recently where the provider is flaunting 500+ training modules,videos and games. What the hell do you do with that as an administrator? 

The industry knows this and some will claim that the Phishing simulations are merely a tool to gather metrics on the overall security awareness effort. Look, Phishing is a big enough problem in itself that it warrants a dedicated fully managed and coordinated program by a provider with experience. Experience in creating a coordinated series of phishing campaigns that ensures that the gathered metrics are comparing apples to apples. And that these metrics come from a methodology that guarantees results. This is not easy by any stretch. Giving someone a tool with a thousand simulations that vary from ridiculously easy to 'moderately' difficult is not enough. You need a managed service with simulations that are customized to your organization and range from easy to extremely difficult. This can't be done by an inexperienced administrator playing with an overwhelming platform.

Here is the big secret....I can tell you first hand that a well coordinated and fully managed program matched to an organizations culture and needs can reduce the click rate by over 90% with simulations alone - in one year. Add a Phishing training module to address the identified weak links (clickers) and you can drive continuous improvement....no rocket scientology needed. If you are looking to adress Phishing specifically then don't play into the hands of businesses trying to sell you a tool you have to put at least one dedicated salaried admin on who then has to spend a year learning the hard way with poorly chosen campaigns.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...