When it comes to security, it pays to be completely honest with yourself. After all, you may be able to hide weaknesses in your network from yourself, but that won’t stop threat actors from finding them.
If you are totally honest with yourself, you’ll realize there’s no way to completely shield your users from attacks.
You can tighten your spam filter, keep a watchful eye on user permissions, and buy in the best endpoint security package you can afford… but still, some attacks will make it through. And if your users are like most people, right now they aren’t even close to being ready to cope with that. We explored this previously in Why Some Phishing Emails Will Always Get Through Your Spam Filter.
We believe people can be the last line of your network defense – and do a damn good job of it – but first they have to be trained.
Here are a few ideas to get you started.
Forget About Compliance
Compliance requirements are, perhaps, the worst thing to ever happen to security awareness training.
That might seem an extreme statement, but think about it. In order to comply with the extremely widespread PCI DSS, organizations are required to run users through their data security policy once per year.
Does clicking ‘Agree’ really constitute training? Of course not. But, sadly, this is about as close to security awareness training as many organizations get.
So forget about compliance for a moment.
If you had to come up with a training plan to help your users identify and report phishing emails, for example, how would it look? We’re willing to bet it wouldn’t bear much resemblance to the training you currently have in place.
Most of the time when security experts claim that awareness training doesn’t work, it’s because they’re considering the impact of purely compliance based training. Of course it doesn’t work. It’s boring, it barely touches on the main attack vectors, and it comes around once per year.
If you really want to develop awareness training that enhances your security program, you must break the cycle to create engaging, informative training that’s designed to change behaviors, not simply satisfy compliance.
Attend our webinar Why People Are Your Network's Greatest Vulnerability where we discuss why your employees will be exposed to social engineering attacks, how you can empower your employees to spot phishing emails more readily, and how they can become security assets for your organization.
Make People Care
The most important thing to consider when developing awareness training is that your users don’t care about security.
Frustrating, perhaps, but true. Your users are busy people who don’t know the first thing about network security, and right now they’re happy to be ignorant.
And if they don’t care, they won’t change. Clearly, this is the first obstacle you’ll need to overcome.
Your security awareness training has to win people over to your way of thinking, and get them on side in the fight against incoming attacks. Don’t forget, you don’t just want to educate people, you want to change their security behaviors, so full engagement is absolutely essential.
And making your users care about security might be easier than you think. As a starting point, help your users to understand what attacks they’re likely to face, and what the potential impact of those attacks could be. Once they start to realize the dangers of poor security behavior, they’ll at least have a good reason to change.
But of course, there’s more to it than that.
These are still busy people, and just like everybody else they have dozens of things they know they should be doing, but which they never actually do. To combat this, your program must include some of the elements that are proven to help people remember and act upon training.
For starters, the once-per-year training program can go straight in the trash. Nobody can reliably recall information they’ve only been presented with once, so repetition and reinforcement are key to an effective security awareness training program.
But it turns out that since most of us left school, a few other things have been discovered about the ways people learn. Repetition is definitely important, but it isn’t everything.
In order to truly change behaviors, your training program should be presented via at least a few different mediums – text, audio, and video for example – and include specific actions for your users to take.
Test, Test, Test
The only legitimate way to ascertain the effectiveness of your training program is to test your users. And how do you do that? By presenting them with the situations you’re preparing them for, and scoring their performance.
Want to see whether your users are ready to identify and report phishing emails? Phish them.
Want your users to challenge visitors without clearly displayed security passes? Hire someone to try and talk their way into your buildings.
Wondering if your users are susceptible to phone scams? Try scamming them over the phone.
This direct route is surprisingly uncommon, but undeniably effective. If the results you get aren’t as positive as you’d hoped, go back and identify areas of your training program that could be improved.
And of course, you can’t just test once. Both training and testing programs must be a continual process if you’re to see real improvement.
You can always back off with particular users if they demonstrate over time that their security behaviors are at an acceptable level. Recognizing desirable behaviors is essential to the reinforcement process, and this additional freedom could even be considered a form of reward in itself.
And, of course, for those users who don’t measure up, you can provide additional support to bring them up to the desired level.
But whatever you do, don’t make your security program feel like a burden. ‘Punishing’ underperformers is almost always counterproductive, and is far more likely to result in apathy and resentment than improvement.
At the end of the day, if you’re in a particularly sensitive industry, and you have a single individual who persistently fails to improve despite additional support, you have a tough decision to make.
We have clients who, when faced with this decision, have let specific employees go under these circumstances. That may seem excessive, but you have to keep your ultimate goals in sight, and when you consider the potential ramifications of poor security behavior it does seem sensible to draw the line somewhere.
Get With the Program
If you take anything from this post – and we sincerely hope you do – we hope it will be that you have the power to improve security behaviors within your organization.
Of course, in this post we’ve really just scratched the surface of effective training. If you want success, security awareness training programs can never be an afterthought. You must invest fully in the process, and refine your training and testing programs over time.
But if you do these things right, and you really make the effort to engage with and educate your employees, your security program will be truly world class.