Is your security awareness training program working?

An hour long lecture once a year doesn't do much for security awareness training

Employees at Axe Investment, the fictional firm of biollionaire Bobby Axelrod in Showtimes new series, Billions, were downright angry when they learned that surprise SEC raid was only a test. Axelrod, though, found the mock raid fruitful as it revealed the internal weak links of his organization.

These are metrics that enterprises should be using to evaluate the success of their security awareness programs. In order for awareness training to work, it has to keep everyone in the enterprise, well, aware.

A recent Wombat report revealed that in addition to the ever growing problem of phishing, employees across industries struggle with oversharing on social media, unsafe use of WiFi, and company confidential data exposure. Those ubiquitous posts pose serious risks.

Chris Weber, co-founder, Casaba Security said "Phishing attacks are pretty measurable. You give folks a phishing workshop, then go and run a phishing testing campaign and see how many people fall for the lure and how many people report the attack or suspicious email," Weber said.

Because many of the threats delivered by malicious actors often tie into phishing, these exercises can't be overlooked, particularly in light of people's inclination to overshare. "Most companies are embracing some type of annual or on-boarding training, letting folks know these are the things you should watch out for if you are trying to access company resources," Weber said.

Training in and of itself is not enough. A successful awareness program will have training in conjunction with the testing. "Do the training to know what’s going on and the testing to keep it activated in people’s minds. Who falls for the bait?" Weber said.

"Each person in the organization should be tested monthly. It could be more frequent than that, but not to the point of annoying people. That’s measurable," Weber said.

Because so many breaches are the result of human error, "Sometimes it’s easier to block access to it all and then grant access by request. Then anybody who requests access needs to install some type of device management software to help organizations keep track and monitor and have a little bit more control over the resources," Weber said.

Blocking access can get tricky, though, and establishing access controls doesn't preclude the need for ongoing and meaningful awareness training.

Dave Chronister, founder, Parameter Security

Dave Chronister, founder of Parameter Security, said, "Awareness training is one of the most important things you can do to protect your network. You need to have a program and it needs to be effective."

Effective means doing more than just a person talking about the things people do that are annoying.That vapid approach is sure to quickly cause the audience's attention to drift--perhaps even to take out their phones and start posting on social media.

Chronister said that when he hears people tell him that they a security awareness training in which they have a single training once a year, he knows it's not a program that is up to par.

"If it is not reinforced without movies, emails, media posters, and testing, the end users will only remember it for a couple days, then the concept will go away," said Chronister.

One midsized company whose program really impressed him, though, held monthly company meetings. "Instead of an hour long once a year, it was a 30 to 45 [minute] company meeting. They would have 10 minutes to talk about security awareness, and at each meeting, they'd go over a current topic," said Chronister.

[ RELATED: 9 tips, tricks and must-haves for security awareness programs ]

Rather than succumbing to the "we are going to fail" approach, the result was that over the course of a year, they had spent more time talking about security awareness. That combined with social engineering exercises allowed them to come up with the metrics they needed to see where they needed to improve.

Social engineering exercises are really tough to do because it requires security experts to deceive their employees. The intent ought to be to figure out what is going on, not to punish people for unintended mistakes. In order to know if people respond or contact help desk, the enterprise needs to institute consistent and varied testing.

Yes, phishing emails are a popular social engineering technique, but they also have to know if a stranger can easily walk in the door and get to where they want to go. "The metrics show them, this is how many people clicked the link, how many people then entered information. The goal then is what can we do to lower that?" said Chronister.

One issue organizations get into is hand picking from corporate politics to determine who gets hit, said Chronister. "A lot of people think, we can’t have the CISO click," he continued but the CISO very well might. S/he is as likely to be deceived by social engineering as anyone else in the company.

"Social engineering doesn’t happen because you’re stupid. If you believe that, you are going to get socially engineered. I've seen a CISO who said that anyone who gets social engineered will be fired. By taking a tough stance, he’s made his security awareness program worse. If I made a mistake and realize it, I’m not going to tell anybody because I could get fired," Chronister said.

Security awareness needs to be based on both the skill set and the industry sector. Josh Grunzweig, threat intelligence analyst, Unit 42 of Palo Alto Networks, said, "Many hospitality employees are using POS terminals as a normal computer—checking email, browsing the web, posting on Facebook. Those terminals should only be used for financial transactions."

When assessing the success of security awareness training, it's important to be realistic about expectations around changing human behavior. "A lot goes into putting technical controls in place so that attackers don’t get into where they shouldn’t be," Grunzweig said.

Across all sectors of the industry, though, when people are permitted authorized access, there is only so much an awareness training program can prevent. "Hospitality has been hit for many years, so yes, employees need to be trained on what to look for, but controls need to be put in place," Grunzweig said.

Enterprises are coming to understand that they can’t put all the burden on the employees because the sheer number of the attacks are vast. Companies large and small that have had success with awareness training are doing so because they are dealing with security both as a company and alerting employees to threats that they may be dealing with in their personal lives.

Stan Black, CSO at Citrix, said that one of the challenges with security awareness is that folks need to receive some benefit beyond just knowledge. "For folks in many of the back office functions from finance to human resources, there are courses specific to certain roles. We tie them to a trend, and add components in as threats become more prevalent," Black said.

Executive assistants are the gateway to executives, and Black said, "Put in place social engineering awareness specific to their role. The information they have is highly valuable, and we marry that in with another element that connect to their personal lives."

In order to measure the success of a security awareness program, they need metrics, which requires frequent testing that is not only relevant to business but meaningful to the people working there.

Join the CSO newsletter!

Error: Please check your email address.

More about CitrixCSOFacebookPalo Alto NetworksSEC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts