Steve Zurier | August 23, 2018

6 Reasons Security Awareness Programs Go Wrong

As seen on Dark Reading...

While plenty of progress has been made on the training front, there's still some work ahead in getting the word out and doing so effectively.

Good news on the security awareness training front: Wombat Security reports that 95% of companies they surveyed now train end users on how to identify and avoid phishing attacks, up from 86% in 2014.

Even more good news: The training also has had an impact. Roughly 54% of security pros said they have been able to quantify reductions in phishing susceptibility based on training activities, according to Wombat's "2018 State of the Phish" report.

"There's been an increase in interest over the past year," says Gretel Egan, brand communications manager for Wombat Security, which is a division of Proofpoint. "A few years ago many scoffed at the idea of security awareness training, but now they realize that it can only benefit their company."

Yet there's still some work ahead in getting the word out and doing so effectively. That means understanding where companies go wrong with their security awareness training – and how to correct it.

1. Security Pros Get Too Technical with Top Management

Security pros often get too bogged down in the details of an ongoing program and don't focus on the big picture, says Wombat Security's Egan. For example, they will tell their CEOs that they still see 15% click rates on phishing lures. First of all, no matter how hard they try, they will never get that number to zero, but the bigger point is the numbers don't mean anything to the chief execs anyway. Better to tell them that by having a security awareness program, they will save money on downtime and reduce security remediation costs. Those are bottom-line impacts that the top person will want to know about.

2. Companies Don't Spend Enough Time Training Execs With Financial Responsibilities

According to Tom Etheridge, vice president for services at CrowdStrike, companies tend to conduct security awareness training as a checklist item. But their top officials, from people on the executive board and in the C-suite to the financial team and the procurement department, require more specialized training on the cyberthreats facing their companies, he says. These people are high-value targets to cybercriminals because they all have fiduciary responsibilities, and many have access to privileged information on personal machines or company laptops. Security pros need to work with them so they can learn how to use tools such as two-factor authentication and encryption, as well as learn the proper steps they need to take to protect physical assets when they travel internationally.

3. Managers Across the Business Aren't Encouraged to Participate

Security pros typically focus on the specific person who approves their funding for an awareness program. As a result, they tend not to look across the company and speak to management peers, Wombat Security's Egan points out. By getting buy-in from the other managers, security pros can convince them to encourage their direct reports to attend the awareness training. For the rank-and-file, if their supervisors want them to participate, that's usually enough.

4. Companies Don't Recruit Natural Leaders

Egan of Wombat Security says many companies don't think of creating a task force for the security awareness program. Security pros should seek out natural leaders – people who may or may not be technical but are the life of the party at company gatherings or always speak up at companywide meetings. Get them to become advocates, and they will convince others that security awareness is important to the continued success of the company.

5. Companies Don’t Sell the Personal Benefits of Security Awareness Programs

Sure, security awareness programs will make the company safer, Wombat Security’s Egan says. But there are other wide-ranging benefits that security pros and HR staffs don't play up. Think of people who are dealing with aging parents who don't understand computers, for example. A company security awareness program can teach them the tips they can apply to helping their parents. Indeed, security awareness has become more than a business issue – it's a modern life skill issue. HR departments need to play up that training aspect when they recruit new employees. It's know-how they can take with them throughout their careers.

6. Companies Don't Plan Properly or Test Thoroughly Enough

Wombat Security's Egan says a lot of companies will just send out some phishing tests and see what happens. But before conducting any tests, it's important they are trained to think through the types of attacks that are important to monitor, how they want to group the users, and what they want to measure.

CrowdStrike's Etheridge says his teams work with companies to run tests, often attempting phishing during specific times to see how a client will perform. Broad-based phishing may work for compliance purposes or to evaluate general awareness of this tactic, he says, but it doesn't always test the true defenses of an organization. He recommends companies run more proactive red team/blue team tests that culminate with explaining to executives how they could respond more efficiently to a security issue.

Read this article on Dark Reading