What’s Working in Security Awareness Training
In a SANS 2016 survey, employee awareness training was the third-most cited control to defend against all threats, and 93% of respondents cited security awareness training as a most effective overall control to protect their organization.
What does it take to make an effective security awareness training program? Let’s take a look at what the experts say – and what some organizations are doing.
Make it Relevant, Bite-Sized, and Ongoing
Identify the needs in your organization based on employee role, past incidents, and a knowledge of the most prevalent risks. Education that is based on real-world scenarios that your team might encounter is much more valuable than a data dump of every potential scenario.
Lance Spitzer, training director for the SANS Securing the Human Program, has developed a list of most prevalent risks: vulnerability to phishing attacks; poor password security; failing to patch or update devices; sharing too much on social media; not realizing you are a target; and accidental data loss or exposure.
These risks are also relevant to life outside the office, which is another way to boost retention. In fact, many studies have shown that employees pay more attention if the awareness materials can be used (and even shared) outside the office – at home with family and friends.
Bite-sized awareness content like periodic email tips, a regular newsletter, or short video snippets are important for two reasons. First, the info in small learning chunks is more likely to be retained. Employees rapidly forget the information they attain during a classroom event. Second, smaller learning chunks more easily fit into schedules by being available for consumption when the employee has the time.
Jason Thomas, CIO and HIPAA security officer at Ruston, La.,-based Green Clinic, sends out short monthly notes about an aspect of HIPAA compliance. “And then we do a short test on this,” he said. “We’re not trying to take them away from what they went to school for, which is treating patients, but it is part of being employed in a heavily-regulated organization.”
Awareness training is focused on changing individual behavior. As such, it requires a continual focus, not just a one-time event. When it comes to internal communication, once is never enough.
Take a Page from the Marketing Playbook
Awareness education doesn’t have to be dry. Consider involving your marketing team to develop creative communications that are engaging and memorable.
Plan a series of communications using different delivery methods to build awareness – much like a marketing campaign. CPNI offers some sample resources to be used in a workplace behaviors campaign.
Infographics are visually engaging, informative, and bite-sized for easy consumption.
Secure Decisions has developed interactive comics to teach employees ways of detecting “phishing” emails and other hacking attempts. The comics are being field-tested at several companies and Stony Brook University.
Make it a Game With Rewards
Most employees will respond favorably to the opportunity to compete and earn rewards. Inject some competition in your security awareness training through gamification.
In a comparison of security awareness efforts across companies, “awareness measures that were interactive were found to be significantly more effective than passive measures.”
- Ask employees to identify the security pitfalls in a What’s Wrong with this Picture game?
- You could replicate the picture idea in the real-world by setting up a cubicle with all the ‘bad’ security habits being practiced (passwords on stickies, unlocked computer, sensitive paperwork on the desktop, etc.)
- Reward users who report a phishing scam to the help desk.
- PwC offers a Game of Threats (™) to simulate the speed and complexity of an actual cyber breach. The solution integrates elements of gamification and game theory to provide an interactive client experience where a client team playing itself tries to defend itself from a of threat actors team (also played by company personnel).
Rewards can be either in the form of public recognition or points that are redeemable toward a gift card, tickets to a sporting event, or merchandise from the company store.
Run a Drill
There’s a reason that organizations periodically run fire drills: it helps to ensure the right procedures are followed in the event of a real emergency. Take the same approach with your security awareness by running unannounced security breaches
Simulate a phishing email to test employees’ response. How many took the bait?
- At Northwell Health, the largest private employer in New York State, the security team sends out “phishing simulations” to the workforce. The emails are designed to mimic a real phishing campaign that seeks passwords and personal information. In April, for instance, Northwell sent out phishing emails with a tax theme.
- At Cisco, those who take the phishing bait are immediately directed to the“Phish Pond,” an internal landing page for an explanation of what they did wrong, and how to avoid it in the future.
Need help creating your drill? Check out these free phishing simulators.
Ponemon recently calculated the effectiveness of anti-phishing training programs. The least effective training program still had a seven-fold return on investment, even taking into account the loss of productivity during the time the employees spent being training. And the average-performing program resulted in a 37-fold return on investment.
Awareness training will not result in perfection; it’s impossible to achieve a perfectly secure enterprise. Traditional tactics such as an educated and experienced security team, strong perimeter defenses, ongoing monitoring, and the ability to quickly respond and recover are still required. However, awareness training can – and is – making a difference in organizations today.
For more information: