Phishing scams have been circulating for almost 20 years, yet they are still responsible for most breaches occurring today. Anthem, Target, JP Morgan, Sony Pictures – all can be traced back to an employee falling for a spear phishing message and unleashing malicious code into the enterprise.
As the poorly worded, suspicious .exe files stopped fooling people, criminals changed tact instead creating malicious sites and sending links to invite individuals to stop by. Technology caught on, spam filters increasingly detected these ploys, and once again scammers evolved to ply their trade.
The reason these scams still work is simple – they target humans. So, could humans be the missing piece to disrupting these lines of attack?
Turning Humans into Detectors
Most of us have passed through an airport terminal and heard the annoying announcements asking; “If you see something, say something.” While the airport has security personnel in place patrolling the corridors and manning checkpoints, the fact remains that they cannot be everywhere at once. Instead, they collectively rely on travellers passing through to be their extended eyes and ears. In this way, travellers become the ‘detector’ watching for, identifying, and alerting on suspicious behaviour such as abandoned cases.
What does this have to do with information security? Just as passengers can help prevent an incident in the airport by reporting suspicious activity, employees can help prevent a potential data breach by reporting suspicious emails, instead of falling for them.
Sounds simple enough – but is it?
They’ll need to be trained
One of the greatest challenges facing security awareness initiatives is providing employees with an experience they will actually remember, retain, and utilise.
Think back to all of the corporate training you’ve sat through during your career. How much knowledge from those courses did you retain? Although you technically completed the training, have you applied any of the information you were given in real life?
For many employees, security awareness training falls into this category. It’s something they probably don’t care about, and that doesn’t help them do their jobs. Users will do what they have to do to get through the training, check the box, and get back to their regular jobs. Their security awareness training is now a distant memory – until next year – buried in a pile of other dull corporate training they’ve been forced to endure over the years. As a result, traditional approaches to awareness training have failed to achieve their objective – change a user’s security behaviour.
When trying to get a person to do something that doesn’t come naturally, such as security awareness training, it needs to be engaging, memorable, and ultimately fun.
They’ll need to be engaged
Games, particularly video or ‘arcade’ games as they’re more commonly called, are fun making them addictive. It is this behaviour that forms the basis of Gamification – described as a tool to design behaviours, develop skills and enable innovation. So, could it teach users to be more security savvy?
When change is required, introducing a new working practice for example, gamification can dramatically improve the engagement and desired behavioural changes needed from employees to make the project a success.
Gamification can make security awareness training quick, interactive, minimally disruptive to the user, and above all interesting. When used correctly it is arguably an important method to grab and keep a person’s attention to make security awareness memorable.
With that in mind, here are five steps to make your security gamification training engaging and maybe even (dare we say it?) fun:
Make it easy: For the average user, security concepts are difficult to grasp, so start simple! Sending a beginner down a black diamond trail is a good way to turn them off of skiing forever (or worse, get them injured). It’s the same with security. Don’t trip up your users by starting them off with complicated concepts – get them on the beginner slope. Start with a basic scenario, such as an email with a link promising pictures of cute cats. As simple as it sounds, many people will still click. Any security pro can devise a fake phishing email that users will click on, but since the goal is to improve behaviour, start simple and work up to more complicated scenarios.
Change things around: How many of you pay attention to the airline safety demonstration prior to takeoff? That demonstration never changes, so consequently most people are checking out SkyMall instead of listening to the demonstration. Don’t make the same mistake with security awareness. Vary both the content and delivery method of your security awareness to continually engage recipients. Offer training content in video form, HTML templates, and add an interactive element to ensure it appeals to different learning styles and personality types.
Explain Everything: Hollow platitudes will undoubtedly get your users to tune out (corporate training has never been guilty of this has it?). Avoid vague messages like “keep company resources safe”, instead give users specific, actionable information that will help them change behaviour.
Continuity is key: Why is it so easy to forget what you learned in a boring class? After the final exam, you don’t need the information, so there’s no need to retain it. We do know that security is a constant and changing threat; therefore, security awareness needs to be continuously reinforced. By continuously training users at different times throughout the year, safe security behaviour becomes a habit, and not something forgotten as soon as training is over.
Focus on the positives: It might be tempting to expose the users who are security risks, but in our experience, the negative backlash this generates will quickly undermine your program. Keep things positive by measuring results, providing positive reinforcement, and recognising people and departments who have done well. Educate and support those that need additional help through repetition.
As with any initiative, the key is not making it onerous. If people find the experience stimulating, there’s a good chance that they’ll talk about it with their peers. As a result, others will be keen to have a go and together will spread your security message. Everyone enjoys playing a game, even a security one.[su_box title=”About Scott Gréaux” style=”noise” box_color=”#336588″]
Scott Gréaux graduated from the Pennsylvania State University and has since held roles of increasing responsibility from application developer to CTO to President of a boutique marketing firm. Most recently Scott served as General Electric’s Deputy Chief Information Security Officer where he led key global initiatives such as Policy and Policy Frameworks, Security Awareness, Advanced Threat initiative coordination and Information Security metric reporting. During his tenure he was uniquely positioned to see the threat of advanced phishing techniques and developed a multi-faceted program to address the phishing risk in a large enterprise.
Scott brings his extensive experience and unique blend of business management and creative marketing practice to PhishMe where he works with customers to develop robust anti-phishing programs. Greaux also oversees PhishMe’s managed service offering, support operations and leads PhishMe’s Customer Advisory Board where he works with customers and industry thought leaders to align PhishMe features with the ever changing threat landscape.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.