Setting up an effective security awareness training program
There are plenty of articles out there touting the ineffectiveness of security awareness training. I do not disagree, because a lot of solutions out there enable you to ‘check the box’ on your compliance requirement for employee training, but they do little to condition your employees not to fall victim to spear phishing attacks. We recently published a blog post on why the right kind of security awareness training is effective – and crucial.
Once a year compliance training for information security will not motivate your employees to change their behaviors, nor will it lead to meaningful long-term retention of the lessons. A program based on current, real-world attack data, with on-going simulation training will yield greater results by reducing your employees’ susceptibility to phishing attacks and conditioning them to report potential threats.
“How do I find the right solution?” you may ask. If you are looking for an effective program that goes beyond ‘checking the box’ and can turn your employees into security assets, rather than targets ripe for social engineering, you should consider a phishing simulation solution. Ideally, one that will continually test your employees throughout the year with simulated attacks, so they will be more likely to recognize and report a real phishing attack.
Questions to ask when evaluating phishing simulation solutions:
How is our current posture assessed? How is the training program developed for my organization? – In order to measure effectiveness, you have to know where you start. Conduct initial testing to determine your baseline level of susceptibility. This allows you to customize a training plan that is aligned with your current security posture and can prioritize training on the phishing techniques that pose the highest risk.
Where does the simulation content come from? Who creates the templates? – Out of the box phishing emails not related to your business are not going to be effective tools for changing behavior. The simulation content should be based on real phishing attacks seen in the wild that are relevant to your business and likely to be similar to ones your employees will encounter.
How frequently is the training conducted? – Successful conditioning happens with regular training. Simulation campaigns should be conducted monthly and coupled with high-impact training at the point of failure (immediately after clicking). This approach is more likely to result in the behavioral changes desired with security awareness training. Employees will learn to recognize and report attacks, resulting in a stronger human firewall for your organization.
How will success be measured? – In accordance with the baseline assessment, a good phishing simulation solution will measure the performance of the employees and the training plan on an on-going basis. The solution should continually evaluate KPIs such as failure and report rates, and provide the flexibility to make adjustments as your risk posture changes.
How much effort is required on my end? – Many solutions on the market are SaaS or tool-kits that create a grand vision of what you can do, but you are on your own to customize and execute. Look for a solution that is fully managed from start to finish. Look for a provider that will partner with you to plan out the training, execute it, measure results, and drive continuous improvement to ensure that you achieve the results you want.
Initial assessment, monthly, real-world-based simulated attacks, ongoing management, and performance measurement are essential parts of a successful program. Proper training is much more than an out-of-the-box tool if your desired outcome is to protect against phishing attacks.
For more on this topic, view this on-demand webinar: Turn your Employees into Security MVPs
Information on PhishLabs Employee Defense Training can be found here.