The other day, I was in a room full of CIOs, CTOs and CISOs who -- as an ice-breaking activity -- were asked to share a bad security habit. One after the other admitted to bad password hygiene, such as reusing passwords.
I was the only one in the room who used password management software, and that was only because I'd just written an article about it.
If even well-educated security experts mess up when it comes to security, can we really educate average employees to be more security aware?
In a Vanson Bourne survey this spring, IT employees were actually more likely than average to open attachments from unknown senders, download apps from outside the official app stores, click on links in social media sites -- even though they were also more likely to know that this was risky behavior.
Training costs money, and takes employees away from their jobs. If even the best-trained employees are still making bad security decisions, is training just a big waste?
Unfortunately, there's very little data available so far, but from the experiences of individual companies, training can make a difference, if it is done right. That means providing training in small, digestible units, following up with testing and reinforcement, and creating a corporate culture of security by engaging employees at all levels.
Long, comprehensive training classes can create fatigue and cause employees to zone out during the lectures, and forget the content quickly afterwards.
"It's too easy to overburden people with too many security-centric things at once," said Jason Thomas, CIO and HIPAA security officer at Ruston, La.,-based Green Clinic.
But in a regulated field like healthcare, security training is a necessity, even if it annoys employees who'd rather spend their time saving lives.
"Training doesn't have to be classroom-style, eight hours a day," Thomas said.
The Green Clinic sends out short monthly notes about some aspect of HIPAA compliance.
"And then we do a short test on this," he said. "We're not trying to take them away from what they went to school for, which is treating patients, but it is part of being employed in a heavily-regulated organization."
These little educational tidbits are working, he said.
For example, a vendor recently complained about being denied access to equipment.
"A receptionist refused to provide him any details," Thomas said. Instead, she told him that he had to contact Thomas directly.
That's exactly what was supposed to happen, Thomas said.
"The key is how you package it to make it interesting and digestible," said Kevin Cunningham, SailPoint's president and founder. "They bring it back to what it means to you."
There are more than two dozen videos total, each covering a very specific topic and followed by a short quiz, accessible through the employee portal.
"If I have a spare five minutes, I can watch one of these vignettes," Cunningham said.
The company has just rolled out the program, but Cunningham says he's already seen a change in attitudes.
But he's not going by gut feel alone. After six months, SailPoint will do a round of retention testing. In addition, individual employees that violate policies will receive additional, more in-depth training.
"People are a key component of any security plan," Cunningham said. "The bad guys have figured out that the most vulnerable portion of the company is the people. There's lots to be gained there."
One easy target for security awareness training is teaching employees how to deal with phishing emails. According to the latest Verizon data breach report, phishing was implicated in a quarter of all data breaches. And according to Ponemon, the average 10,000-employee company spends $3.7 million a year on dealing with phishing attacks.
Ponemon recently calculated the effectiveness of anti-phishing training programs. The least effective training program still had a seven-fold return on investment, even taking into account the loss of productivity during the time the employees spent being training. And the average-performing program resulted in a 37-fold return on investment.
One company that's working hard to both improve and measure its effectiveness is Wombat Security Technologies, which grew out of a research program at Carnegie Mellon.
"In my mind, videos and classroom-based training that don't engage users are doomed to failure from the beginning," said company CEO Joe Ferrara.
Wombat runs simulated phishing attacks against organizations, then delivers on-the-spot training modules.
One customer, Pennsylvania-based safety product manufacturer MSA Safety, started out their first year's training program with a 25 percent failure rate.
"Now we're in the 5 to 8 percent fail rate," said Steve Rocco, the company's global cyber security manager. "We have lowered our risk considerably, in my opinion."
Since first piloting the Wombat training program two years ago, the company has rolled it out to 50 sites around the world, in seven languages.
In addition to phishing training, there are also modules that cover how to classify data, what can be sent over email, what can be stored in the cloud. There's training for handling personal health information, for physical security, for social engineering, for social networks, and a variety of other topics. And it's customizable to meet MSA's specific requirements.
"These are all very important learnings for our end users," Rocco said. "And people love it."
It helps that the security training is also often applicable to employees' personal computer use, he added.
One effect of the security training is that employees are now reporting strange emails or other happenings. That means that if the company is being specifically targeted, even if some employees still fall for phishing emails, others will have spotted them and alerted the security team that there's something going on.
Rocco said that there's also been a a strong decrease in malware across the network.
Obviously, no system is perfect. In fact, there were two recent incidents in which two employees fell victim to CryptoLocker. When the company investigated, it turned out that one of the employees had not taken the training, and the other received a poor grade.
In addition to Wombat, several other vendors are happy to send simulated phishing attacks against your employees. They include PhishMe, which counts 35 of the Fortune 500 as customers. Others are ThreatSim, SynerComm, PhishingBox, and KnowBe4.
But this kind of simulation-based training is still new to the industry, said Seth Robinson, senior director of technology analysis at Computing Technology Industry Association
"I have talked to some companies who have done this kind of training, and that does tend to be one of the premiere examples of what security training should look like," he said. "Companies who have tried that show some success."
But comprehensive, ongoing simulation-based security training is rare.
"Our data shows that not many companies are doing serious training," he said.
Instead, he said, companies are still more likely to give a copy of a security policy to newly-hired employees and ask them to sign.
Creating a cultural shift
When security training means checking off a compliance box, it's hard to get people to pay attention, much less take it to heart.
"But if good security hygiene permeates a company, then it's something that can be successful," said Siobhan MacDermott, principal in the cybersecurity practice at Ernst & Young. "We work with a lot of boards and senior management in setting up security awareness programs. And we go back and see if there's a change in behavior."
The main factor that makes a difference is whether the behavior is modeled by the most senior executives, all the way down.
"It can't be just implemented from HR," she said.