Not all security awareness training programs are created equal. How does yours match up?
There is a difference between an effective security awareness training program and an ineffective one. The former can protect your business from malicious email attacks, and the latter can leave you vulnerable. The difference between the two is so vast that it causes many organizations to dismiss effective security training as unworkable. After all, training results are often so poor, it is understandable why many organizations they have little faith in security awareness training programs. The problem, however, is not with the concept of user training itself, but rather with the way they are executed.
Three ways training is typically carried out:
- Break Room Training: This approach involves gathering employees in the break room, providing lunch, and having someone from IT or a security expert lecture on topics such as phishing, spear-phishing and whaling. While better than nothing, attendance is often low, and there is little change in the effectiveness of phishing after such briefings
- Monthly Security Videos: While these short clips educate users on the many snares used by phishers to reel in unsuspecting employees, it can only be categorized as a superficial training program. On its own, it can’t be expected to do much to diminish the risk of data breach. It also causes training fragmentation because important topics are covered months too late.
- Phishing Tests: This approach pre-selects high-risk employees only and sends them simulated phishing emails to see how many fall for the attack. This is typically paired with some kind of educational feature such as links to training modules as well as short videos to view to increase awareness. The advantage of this method is that it offers some kind of metric about phishing. The disadvantage is that employees soon get wise to it and warn each other of the incoming emails, greatly diminishing this strategy’s effectiveness.
Clearly when implemented individually and without clear goals security training does not achieve its desired results. To effectively teach its employees, an organization needs to have goals and a specific plan of action.
4 Steps for an Effective Security Awareness Training Program
1. Develop a Coordinated Campaign that Combines Training and Phishing Simulation
While training and simulated phishing are often ineffective when implemented separately, they are remarkably effective when used together. The training teaches employees what to look out for, and phishing simulations reinforce that message.
2. Determine Baseline Phishing Susceptibility
Security awareness training can be undermined due to difficulty in measuring its impact. How exactly are you supposed to prove that it obtains results? This is where the baseline comes into play. It is vital to establish a baseline on phishing click-through rates so you know the percentage of users who open malicious emails prior to beginning an awareness training campaign. This can be accomplished by sending out simulated phishing emails to a random sample of personnel to find how many employees fall for the trap. This metric can later be used to determine how effective the campaign is.
3. Conduct Personalized Random Phishing Attacks
Sending out simulated phishing emails at regular intervals can bring about an apparent drop in phishing susceptibility in tests that doesn’t translate into the real world. Employees get used to the simulated actions of the campaign, and you ultimately have little or no impact on employee gullibility.
The way to guard against this is to use what are termed random-random simulated phishing attacks. Switch the tactics and schedules around by varying the groups and schedules randomly. Personalized emails are more believable. In some cases, this can be as simple as adding the employee’s first name.
4. Practice, Practice, Practice
Keep in mind that you’re trying to change people’s behavioral patterns, which will take time and consistency. People do not change overnight, and they also forget behaviors that are not reinforced. While proper training can dramatically reduce the click through rate on malicious links, that number can creep back up if the training is not continually reinforced.
Stay tuned for next week’s email on figuring out which training program is right for you!