Malicious e-mails are still in fashion.  Filtering systems, even with AI support, have plateaued their capabilities and no concoction of technology alone is enough to completely protect an organization.  Its time to invest in one of the best, and probably least expensive, security tools in the CISO arsenal: security awareness training.

Most training programs today lack a continuous, captivating experience that creates a culture of awareness and accountability. Forget off-the-shelf training and invest in customized, branded materials that are rich in media and interactive content (never reuse the same content from year to year).  Make sure there is constant exposure to security awareness, with tangible repercussions for those that consistently fail to demonstrate they are capable of protecting the organization.

A Thorough Program

Basic Training

Users need to understand cyber threats, laws and regulations, company policies, and other compliance requirements.  A good awareness program will cover these basic elements during on-boarding, with frequent reinforcement.

  • Responsibility and accountability of all staff and personnel
  • Data classification and data privacy
  • Acceptable Use policy and policies for the protection of data and information systems
  • Intellectual property rights, including software licensing and copyright issues
  • Concepts of “least privilege” and “separation of duties”
  • Access controls
  • Safe password hygiene
  • Requirements for software updates
  • Social engineering techniques and protection
  • Email security
  • Browser security
  • Malicious downloads
  • Anti-virus, anti-malware
  • Social media security
  • Vendor, contractor, and third party security
  • Mobile security, including phones, laptops, and removable media
  • Wireless security
  • Remote access
  • Data destruction
  • Physical security
  • Communications plan for reporting suspicious activity (physical or cyber)

‌Role Based Training

A good program will also include specialized, role based training to address specific risks and threats towards a particular job function, such as

  • Board of directors
  • Executive and senior management
  • Human resources
  • Finance
  • Executive assistants, office managers, and administrative staff
  • Receptionists
  • Front office and customer service
  • Back office and operations
  • Information technology and privileged users
  • Information security

Training Schedule

Require all new users to complete training before they are given access to data or any privileged applications and systems.  Ideally, include the training as part of new hire on-boarding and orientation.  In person training works great for this as it conveys a sense of importance and  helps strengthen a culture of security from the onset. It also offers participants an opportunity to ask questions.

Space training out over the course of the year. A good schedule might alternate different types of training quarterly, rather than trying to squeeze everything in at once or giving users the option to cram just before year end deadlines.   For example:

  • Q1 - Basic training (general security awareness concepts)
  • Q2 - Role based training
  • Q3 - Data privacy and company policies
  • Q4 - Phishing

It's Not All About Training

To really impact culture change, don't focus entirely on training.  Think about other creative ways to produce security awareness.

Make use of security awareness posters.  These can be placed throughout office facilities and particularly in areas with a captive audience, such as cafeterias, pantries, and elevator lobbies.  

Give everyone a security flyer with company do's and don'ts on one side and phishing red flags on the other.  Make sure to also include contact information for reporting suspicious activity.  

Send out periodic newsletters to communicate new regulations, policies, procedures or security technologies.  Use e-mail bulletins to highlight any urgent risks or threats.

‌‌Testing and Improvement

Administer frequent phishing tests with unique, individual campaigns that can track who has opened an email, clicked a link, and entered credentials into a test website, as well as who has reported the email as suspicious.  

Try every campaign before launch to ensure that emails and target links are not blocked by mail gateways and web content filtering systems.

Failure on phishing tests, or failure to complete awareness training, should have tangible consequences that are in line with company culture and become more severe with subsequent, repeated failures. These can range from warnings and extra training up to compensation impacts or even termination of employment (or, for contractors, termination of the contract).  

Include metrics, insights, and trends about security training and testing alongside other predictive cybersecurity metrics that are normally reported to executive management and the board of directors.

Who's In?

All staff and personnel, including external contractors, subcontractors, and support staff, should be included in an organization's security training and awareness program, phishing testing, and metrics reporting.

When users that have been on leave of absence for a significant amount of time return to work, they should be required to complete training before their access is restored.  If users retain access while they are on leave, even if it is just email access, they should be required to complete all their information security training in order to ensure that they are up to date and equipped to protect the organization.

Inside Staff

Sometimes it makes sense to notify user support / helpdesk, Information Security, and some technology staff before lauching a test campaign. This helps reduce the number of support tickets and reported outbreaks which would otherwise need to be individually investigated, and can help ensure a smooth operation.   Separate campaigns should be launched to test inside staff without their prior knowledge, so that all users have been able to be properly tested. (Yes CISOs, this includes you too).

Don't Forget the Board

Board members are a valuable target and too many programs exclude the board from security awareness training.  Its usually a good idea to present the board with a white glove, in person session that can be concise yet thorough.   Some Information Security services companies specialize in providing training specifically designed for corporate boards.

Include Your Customers

Once a strong security training program has been established, turn the focus outwards and develop an awareness program to target customers and clients.  This can include a section on the website that discusses security measures your organization takes as well as steps customers can take to protect their own data.  Periodic emails can also be used to highlight any specific risks or threats that are relevant to your client base. They can also simply point out security tips or function as a gentle security awareness reminder.