From an operations perspective, the employees in your organisation are on the front lines of your business. But from a security perspective, end users are your last line of defence. They represent the final wall against a cyberattack that has penetrated the other barriers you’ve put in place; they are the decision point for malicious emails that sneak through your filters. Like it or not, users are your last chance for success in those moments. The question is: How good do you feel about their ability to defend you?
Infosec professionals have long since stopped looking for the silver bullet in cybersecurity solutions in favour of a defence-in-depth strategy. But as good as technology has gotten, we’ve still not been able to identify the right mix of technical solutions that can definitively take users out of the decision tree. Even if, at some point, someone finds a way to place an impenetrable security shield between attackers and end users, there will still be years — perhaps decades — between discovery and wide-ranging adoption. Until then — which could be forever — users will remain a factor in the cybersecurity equation.
Instead of stopping short, why not extended defence-in-depth solutions to the employees at the desktop? Security awareness training programs can help you shore up that last line of defence and better manage end-user risk.
To deliver the most effective anti-phishing education to end users, consider these key steps:
Wombat Security’s recently released 2017 Beyond the Phish™ Report — which presents data analysis about end-user cybersecurity knowledge about a range of topics — revealed that in both 2016 and 2017, phishing received the most attention from participating organisations from an assessment and training perspective. The report also showed that those efforts have been paying off; on average, end users across all industries answered fewer questions incorrectly year over year (24 per cent in 2017 vs. 28 per cent in 2016).
While the increase in phishing knowledge is a positive trend in general, there is additional value found in the ability to measure this type of progress. In evaluating security awareness training tools, it’s important to look at the metrics that will be available to you and how those translate into business intelligence. You want to be able to gain actionable information from your tools, not merely data for data’s sake, so choose your tools wisely.
It’s also important to think beyond click rates when gauging training progress. The Beyond the Phish Report shows that phishing test results only tell part of the story when it comes to susceptibility to attacks. Question-based assessments, overall training scores, and insights into most-missed questions help to provide a more rounded view of end-user knowledge. And given that risky behaviours outside of email — like improper use of free WiFi, password reuse, and poor data management practices (to name a few) — are contributing to organisational vulnerabilities, you should not only measure beyond the phish, you should assess and train beyond the phish.
In addition, you should consider the non-training data points that can help you evaluate program effectiveness, such as change over time in rates of active malware infections, PC reimages, employee downtime, helpdesk calls, and reported phishing messages. Several of these can be at least loosely — if not definitively — tied to dollars and cents. If you are delivering effective security awareness and training to employees, you should begin to see improvements in all these areas, which helps to measure success and ROI.
To truly change behaviours, it’s important that users have a good understanding of cause and effect. Unfortunately, infosec teams are not taking advantage of opportunities to correlate real-world events to education.
An end user’s mistake should be looked at as a learning opportunity. Whether the mistake is noted during a phishing test (i.e., a simulated attack) or as the result of a successful attack from the wild, training should factor into the follow-up. And the more targeted the education, the better. If a user infects a PC with ransomware, assign a ransomware training module shortly after the user gets a clean device. If you send a phishing test that simulates a malicious file and a user clicks to download, send that employee an assignment that focuses on the dangers of attachment-based phishing attacks. If a user loses a device while traveling, schedule training that highlights physical and mobile device security and emphasises how to be more secure while in vulnerable spaces such as airports, hotels, and other public places.
As noted, end users’ mistakes are teachable moments — but that doesn’t mean you should drop in-depth training on your employees at that moment. Yes, ensuring there is a small window of time between a security event and follow-up training that relates to that event can help employees connect the dots more clearly between the two. But when mistakes happen, emotions can be raw in those moments, and that emotion can override everything else, leaving employees unreceptive to learning. (Think of a toddler mid-tantrum and you’ll get the idea.) As they say, timing is everything.
The simple fact is that users will generally know that they have made a mistake when it happens (even if they are loathe to admit it). But nobody likes to be interrupted in the middle of what they are doing, and making training feel like a punishment can be counterproductive. When using simulated phishing attacks, you should absolutely acknowledge a mistake and give some advice if a user engages with an attack — but keep it short and sweet. It’s best to give an employee the opportunity to process what happened, and follow up shortly thereafter with more thorough education, which still allows you to create that direct line between the security mistake and the best practices that can prevent a reoccurrence.
If you only address cybersecurity once a year, you basically have to start from scratch every time you train. Essentially, you build — and rebuild — a foundation annually, which leaves you with no real opportunity to reinforce that foundation, or build upon it.
In contrast, a continuous training methodology allows you to deliver more progressive education to your users over time. You don’t have to resort to a catch-all, multi-hour presentation that focuses on all the fundamentals you feel you should talk about — but that your employees will forget about in a few short weeks (or sooner). With an ongoing program, you can cover (and regularly reinforce) fundamentals like phishing awareness and prevention, but also expand on the basics as your users become more comfortable thinking about and practicing key concepts.
Instead of going back to the drawing board every year, why not given yourself the opportunity to paint a more complete picture for your users over time?
When it comes to building a security awareness and training program, it is important to recognise that not all approaches are equally effective. If you want your users to retain what you tell them, you need to consider how adults learn. Ultimately, you want to engage your users, because engagement is a key to knowledge retention. Seek key capabilities like interactivity; contextual learning; clear feedback; reinforcement capabilities; and bite-sized, “digestible” pieces of content.
Infosec teams cannot assume that knowledge is a constant; like any skill, cybersecurity expertise needs to develop over time, and users deserve the opportunity to grow their abilities. Tools that utilise research-driven, proven learning science principles will give you the best opportunity to create a culture of security within your organisation and to realise the benefits of an educated, empowered last line of defence.