Security awareness training is something that is discussed quite a lot these days and is commonly something that is just completed to ensure a corporation meets its compliance, but this is not the way we should look at security awareness training. I believe it is something that we need to do regularly to help educate and share knowledge on security with all members of our organisation. It is not about learning all about security and all the tools we use, it’s about making everyone we have interactions with safer online in their personal lives and better-protected users at work. It's a noble cause that deserves our utmost effort but (in my opinion) is badly done.
Now, don’t get me wrong I am not saying that my way is right and yours is wrong. Every method has merits and we need to look at what works for our organisation and what doesn’t. There is no point doing a rigid formal training program if it doesn’t fit your company culture or style. We need to consider what will work and not just do a quick google search and then buy the latest buzz version or style of awareness training to make sure we cover our compliance requirements.
Do you know what staff do with those online security awareness training programs? They start the video and then continue with their work, they click next when required and honestly don't learn anything from your probably expensive training program. So why not try to do something a little different, actually try and teach your staff something worthwhile. Maybe even something that will help them for the rest of their lives.
I know it's hard and we are all strapped for time so do what you can but make every minute you have available worth it. Do some face to face training, don't do boring, no one will remember boring. Personally, when I am conducting training programs I try to make it a bit humorous so that attendees remember what I have tried to tell them. I deliberately keep it simple, this isn’t because the attendees are stupid (many of the people I train are lawyers, accountants, doctors and just all round smart people) it’s because that’s not what they do, they don’t understand our language so why try to speak tech when they understand English or if you know how they talk (their tech language) why not bring some of that into your presentation. It will make more sense to them and be a better use of their time and your own.
A regular saying, I use in my presentations is the good old “passwords are like toothbrushes, pick a good one and never share it with anyone”, have some fun with it, you don’t need to put everyone to sleep. I often play a bit of a game if I am talking and I see people start to drift away. I will get the group to try and come up with the silliest four-word passphrases they can. You need to have some fun with it if you do the attendees will respond. I have heard some very creative options over my time, it can get the group involved and attentive to what you are saying (which is the goal, so they remember).
My attendees always seem to like it when I tell them that we have been making users have difficult passwords which they can’t remember but are easy to guess for computers just because we thought it was the best thing to do. Most complex passwords can be cracked in a relatively short amount of time, but a good passphrase will take years and years. We don’t even need to change them as often as we do (that’s another thing we added just to make things more difficult) as long as we keep them secret (Which is easier said than done but doable). I am sure you can see what angle I am taking here, have a bit of fun and even poke a bit of fun at our selves if it will help the attendees enjoy themselves as well as take some knowledge away from the session that can help them be more secure.
So, the training session is done, and you mark it done for another year. No need to worry about training again for at least another year, right? Wrong. You need to do more than one training session to make a difference in your users level of security awareness. Quarterly sessions would be perfect if your organisation is of a size that you can get this organised or even if that one session is all you can get in face to face group training follow it up with some funny emails on a monthly basis on just a quick topic, have some funny posters made up about financial scammers or some sort of phishing email that helps identify malicious emails. If the users see them regularly they may remember them when the time comes, and a real threat arrives in their inbox.
What about adding a screen saver to all machines with a set of crafted slides that reminds them to lock their computers when they leave their desks, not to share passwords and like the flyer above help them identify threats via a simple graphic that displays tell tail signs. These are just some ideas that I have used in my training but there are so many more options that could work we just need to think outside the box and come up with ideas that will work. They don't need to cost a lot of money to be effective but we just need to not leave it with the single basic online course (hey, by all means, do that as well if you can – just find something funny so they will actually watch it) or the single physical training session ( I know some people that knock these out of the park).
You need to do more and make it an active part of your security program, humans are a big part of how we will, in the end, win the cyber battle. I have heard some of my peers say on numerous occasions that this is not a technology problem but a human problem. So yes, let’s do what we do best and get all of our security systems in place but don’t leave all the humans out in the weather, stand together as an organisation as one and help create an educated united front.
As always tell me your thoughts on this, tell me what fun things you all do to make the training count. Do you have something that you do that would be a great idea for all businesses to do, if so comment and let us all know. We will never win this war alone so if you have that idea that could help us all I want to hear it.
Till next time…