Security awareness training gets a much-needed reboot

New methods of educating employees about risks are more effective at protecting company data

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Using inno­v­a­tive strate­gies, some com­pa­nies may be eras­ing employ­ee secu­ri­ty training’s rep­u­ta­tion for ineffectiveness.

Secu­ri­ty train­ing “got a bad rap, because it was so bad,” says Steve Con­rad, the founder and man­ag­ing direc­tor of Medi­aPro, a Both­ell, Wash­ing­ton-based secu­ri­ty aware­ness train­ing com­pa­ny with such clients as Microsoft, Yahoo and Adobe.

Steve Con­rad, Medi­aPro founder and man­ag­ing director

Old train­ing meth­ods “usu­al­ly con­sist­ed of slide presentations—or their online equivalent—that were super dull and could last an hour or two,” he says. “Employ­ees were expect­ed to sit through this, either at their desks or in a group, and come away with knowl­edge gained. And that was it. Aware­ness train­ing was once and done, and it just didn’t work.”

Relat­ed pod­cast: Self-train­ing pro­grams effec­tive­ly boost cybersecurity

Stu Sjouw­er­man, founder and CEO of KnowBe4, a secu­ri­ty aware­ness train­ing com­pa­ny found­ed in 2010 and based in Clear­wa­ter, Flori­da, says “old-school secu­ri­ty train­ing” often stems from “clas­si­cal break-room ses­sions where employ­ees are kept awake with cof­fee and dough­nuts and exposed to death by PowerPoint.”

Those days are over, accord­ing to offi­cials of the two companies.

MediaPro—which was found­ed in 1992 and has focused on secu­ri­ty aware­ness train­ing pro­grams as a prod­uct since 2003—says it’s an e-learn­ing com­pa­ny that bases its train­ing on proven adult learn­ing prin­ci­ples, pro­vid­ing edu­ca­tion­al con­tent in a way that learn­ers remember.

This con­cept extends beyond the train­ing cours­es them­selves,” Con­rad says, “to our focus on con­sis­tent rein­force­ment of key learn­ing prin­ci­ples through extracur­ric­u­lar con­tent such as games, videos and posters, as well as phish­ing sim­u­la­tion exercises.”

Phish­ing exer­cis­es help change behavior

KnowBe4, Sjouw­er­man says, sends fre­quent sim­u­lat­ed phish­ing attacks to train employ­ees “to stay on their toes.”

Both com­pa­nies believe that employ­ees’ most com­mon secu­ri­ty mis­take is falling for an email phish­ing scam.

Stu Sjouw­er­man, KnowBe4 founder and CEO

Bad guys have come up with all sorts of cre­ative ways to con­vince employ­ees to click on a link or send sen­si­tive infor­ma­tion via a spoofed (sender) address,” he says.

Click­ing on a link in a sus­pi­cious email and open­ing an infect­ed attach­ment can be avoid­ed, Sjouw­er­man says, “by rec­og­niz­ing red flags.” Red flags include receiv­ing an email from a sus­pi­cious domain or address you don’t ordi­nar­i­ly com­mu­ni­cate with, or one sent at an unusu­al time such as 3 a.m.

No com­pa­ny is immune to such scams, Con­rad says, “but sim­u­lat­ed phish­ing cam­paigns aimed at an organization’s employ­ees teamed with com­pre­hen­sive cyber­se­cu­ri­ty edu­ca­tion can go a long way toward chang­ing risky employ­ee behavior.”

Tech­ni­cal safe­guards against phish­ing scams exist, “but no orga­ni­za­tion should rely on those alone,” he says. “Social engineering—the basis of phish­ing scams—is such an effec­tive way into the sen­si­tive data of an orga­ni­za­tion, because it com­plete­ly bypass­es these tech­ni­cal safe­guards and goes after what is most com­pa­nies’ weak­est link: the human.”

Work­ers’ weak spot

Why do employ­ees engage in risky behav­iors when cyber­se­cu­ri­ty threats are so abundant?

It’s like­ly a com­bi­na­tion of being busy and being exposed to so many tech­no­log­i­cal sources of dis­trac­tion on a dai­ly basis,” Con­rad says.

Sjouw­er­man men­tions anoth­er rea­son. “No one ever took the time to enlight­en them about the clear and present dan­ger that risky behav­ior can real­ly cause, espe­cial­ly in an office environment.”

A 2016 study by PhishMe, a Vir­ginia-based phish­ing threat man­age­ment com­pa­ny, found that 91 per­cent of cyber attacks and the result­ing data breach begin with a spear phish­ing email.

Anoth­er study done last year by Last­Pass, a Vir­ginia-based pass­word man­age­ment ser­vice, found that 91 per­cent of respon­dents know it’s risky to reuse pass­words for mul­ti­ple online sites, but 61 per­cent do it any­way. The study also found that the No. 1 rea­son respon­dents changed their pass­word was because they for­got it, and only 29 per­cent changed it for secu­ri­ty reasons.

Employ­ees’ risky behav­iors have trig­gered an increas­ing num­ber of com­pa­nies to pro­vide bet­ter secu­ri­ty training.

I think this is a real­ly excit­ing time in the mar­ket: Huge num­bers of com­pa­nies are com­mit­ting to doing real edu­ca­tion, and we’re see­ing excit­ing inno­va­tions in the vari­ety of con­tent that is avail­able,” Con­rad says. “I like to think that the age of bor­ing peo­ple about secu­ri­ty is over, and we’re enter­ing an era where peo­ple are going to be moti­vat­ed and engaged by edu­ca­tion around these issues.”

Rep­e­ti­tion is key

Employ­ee train­ing, Con­rad says, needs to be more fre­quent than an annu­al affair.

Learn­ers need to hear some­thing more than once for it to stick—just ask any ad exec­u­tive or mar­ket­ing jin­gle writer,” he says. “Think about what makes up an adver­tis­ing cam­paign: a series of mes­sages that share a sin­gle idea or theme, trans­mit­ted via dif­fer­ent media chan­nels on a reg­u­lar basis, for an extend­ed peri­od of time—with the sin­gu­lar goal of influ­enc­ing con­sumer behavior.

A great secu­ri­ty aware­ness ini­tia­tive should look like a great adver­tis­ing cam­paign. Repeat­ed, con­sis­tent mes­sages deliv­ered through­out the month, quar­ter or year, what­ev­er cadence is appro­pri­ate for a giv­en organization.”

More sto­ries relat­ed to secu­ri­ty training:
When it comes to secu­ri­ty, don’t give employ­ee edu­ca­tion short shrift
How orga­ni­za­tions can avoid get­ting hooked by phish­ing scams
More orga­ni­za­tions find secu­ri­ty aware­ness train­ing is becom­ing a vital secu­ri­ty tool


Posted in Featured Story