informa

Cybersecurity In-Depth

6 MIN READ
The Edge

9 New Tactics to Spread Security Awareness

Employees are often your first line of security defense when the bad guys come calling -- providing your workers are properly trained. Security leaders share how they're raising awareness.

(Image: Kraisorn via Adobe Stock)
(Image: Kraisorn via Adobe Stock)

Sometimes security awareness training is ineffective. Sometimes it's considered in poor taste.

For example, in a move that was criticized earlier this year, newspaper giant Tribune Publishing sent out a phishing simulation to staff. The "lure" was the promise of a bonus between $5,000 and $10,000. The email instructed employees to log in to "view your end of year bonuses." And when they did, they received a notification of enrollment in a computer security training program. However, the awareness campaign raised eyebrows because Tribune Publishing had recently laid off and furloughed many employees.  

Perry Toone, founder of email service firm TheXYZ, says a similarly disastrous experiment with phishing employees led him to abandon the tactic.

"We created a fake phishing site and encouraged users to click a link in an email," he says. "When they did, we informed them that they had failed the phony phishing test. It turned out, this was not a good idea. Many people freaked out, thinking they have been hacked. Wouldn't do it again."

OK, so these are both examples of awareness training that fell flat. But what's working these days? The Edge reached out to several security leaders to hear about the new tactics they are employing to evangelize security in their organizations these days.

(Image: artinspiring via Adobe Stock)
(Image: artinspiring via Adobe Stock)

Make It a Game

People learn by doing, and at Auth0, a secure authentication provider, they have created challenges that promote both education and excitement, according to Duncan Godfrey, senior director of security and compliance at Auth0.

First, an internal bug hunt encourages employees to safely uncover and report vulnerabilities, in addition to identifying threats and critical errors within corporate infrastructure.

"This challenge promotes healthy competition among our employees and introduces an exciting, yet productive mission within our day-to-day work," says Godfrey. "Any employee that discovers a high or critical severity is recognized companywide by our internal Hall of Fame and receives Auth0 swag prizes."

The second challenge focuses on phishing: Employees are asked to "think like a hacker" and attempt to phish Auth0's security culture manager.

"This challenge, which is conducted in a controlled and safe manner, introduces a fun task for our employees that allows them to better understand the types of attacks they work to prevent day in and day out," Godfrey says.

(Image: Looker_Studio via Adobe Stock)
(Image: Looker_Studio via Adobe Stock)

Onboard Employees Along With Training

Before employees wander too far inside a corporation's walls (or network), they should receive some awareness training, says Johanna Baum, CEO and founder of S3 Consulting.

"At S3, each client has a mandatory attendance once credentials are issued through on-boarding to attend training," she says. "Without successful completion, they can't complete the on-boarding process or the distribution of some assets."

(Source: Yury Kisialiou via Adobe Stock)
(Source: Yury Kisialiou via Adobe Stock)

Remove the Stigma

Everyone makes mistakes, says Tim Sadler, CEO and co-founder of email security firm Tessian, "but people control more sensitive data than ever before, like customer, financial, and employee information. This means that even the smallest mistakes, like accidentally sending an email to the wrong person, can cause significant damage to a company's reputation."  

Sadler advocates for making awareness more pervasive by "deshaming" the reporting of mistakes.

"Companies need to create a security culture that encourages employees to report their mistakes to IT," he says. "Otherwise these mistakes will continue happening – but without visibility into how or why they're happening."  

(Source: yavdat via Adobe Stock)
(Source: yavdat via Adobe Stock)

Consider Your Audience

In order for security awareness to be as successful as possible, security leaders need to ensure programs are actionable and relatable for end users, says Will Carlson, director of content operations at cybersecurity training company Cybrary.

He suggests "purpose-matching awareness training" to the roles end users are involved in regularly.

"Training cashiers about private health information isn't just a waste of company time -- it also erodes end-user engagement in the awareness program," he says.

(Source: melita via Adobe Stock)
(Source: melita via Adobe Stock)

Tailor Training to Age

Tessian's Sadler also thinks organizations need to tailor security training to consider what motivates various age groups.

"For example, our data shows being respected at work is important to older generations, so they may be more reluctant to admit they've made a mistake because they don't want to 'lose face,'" he says. "Younger employees, on the other hand, are more interested in seeking knowledge, so we should be teaching them the techniques that hackers will use to target them so they know what to look out for."

(Source: PureSolution via Adobe Stock)
(Source: PureSolution via Adobe Stock)

Make Use of Multiple Mediums

Carousel Industries, an IT and managed services firm, adopted an "omnichannel delivery" system for cybersecurity awareness and education, according to Jason Albuquerque, CSO and CIO.

"We now issue a twice-per-month cybersecurity bulletin to all employees," he says. "It is all based on modern communications mediums -- short videos, industry articles, emails, Microsoft Teams messages, and more -- that are digestible and educational. This has been a godsend for us. Our staff are much more receptive to this type of content delivery.

Albuquerque says he plans to expand the program to include SMS messages by using contact center technologies, knowledge bases, and artificial intelligence to be faster and more targeted with the information.

(Image: NicoElNino via Adobe Stock)
(Image: NicoElNino via Adobe Stock)

Embed Security Training for Developers

DevSecOps, the culture of embedding security into the design of software at the outset, is catching fire in many organization. But even if you don't have DevSecOps program in place yet, consider giving your developer special training of their own when it comes to security awareness.

"Training should be an intrinsic part of DevOps, rather than a separate task," says Matthew Rose, global director of application security at Checkmarx. "Developers like to stay within their preferred environments, and if training takes them out of that, they'll view it as burdensome and frustrating rather than informative and motivational."

Jerry Gamblin, manager of security and compliance at Kenna Security, agrees.

"Organizations should spend time cultivating tribal security knowledge in their DevOps teams by helping to facilitate security center content, which can include specialized language security training, paying for security conferences, or providing a security library of books related to secure DevOps and coding," he says.

(Source: Sushiman via Adobe Stock)
(Source: Sushiman via Adobe Stock)

Bring It Home

With so many people now working from home these days, that means other family members may be using the same router to access both work and school.

"Given this reality, I believe it is important to engage everyone in the family in cybersecurity training," says Pam Nigro, vice president of information technology and security officer at Home Access Health Corp. and an ISACA board director.

Nigro's team has created easy messages for parents to share with children as part of the effort to help educate everyone.

"We have been holding coloring contests with different age appropriate messages about staying safe online, including offering an option for older children to create their own drawings or montages around the weekly theme," she says. "We have a drawing in the two age groups for a $50 Amazon gift card." 

Chris Henderson, director of information security at Datto, a provider of cloud-based software, says he is also working on efforts to help remote employees improve security posture.

"Datto has also been providing employees' with assessments of their home security posture, providing them assistance with securing their router and endpoints to ensure our new remote environment leaves no openings for an attack," he says.

(Image: hoya via Adobe Stock)
(Image: hoya via Adobe Stock)

Find Security Marshals

Harman Singh, managing consultant and director of professional services at security firm Cyphere, recommends identifying enthusiastic employees who will help the security team evangelize security's message.

"Just like fire drills at offices, selecting and training 'security marshals' from each department who can be go to contacts to help their team mates to ensure quicker response," he says. "This acts as more effective social tool internally."