Security awareness has long been a point of frustration for information security professionals. While many organizations conduct awareness training of some kind, they have struggled to develop effective training. In the past, they have found that posters and knick-knacks urging employees to change passwords have failed to improve workers’ security behavior. Consequently, employee behavior continues to be a common cause of data breaches, with some in the industry even concluding that improving user behavior is impossible.
Improving user security behavior is not impossible, but it does require a change in approach. Acknowledging this, PhishMe has assembled the following five tips to provide a roadmap for establishing a security behavior management program that measurably improves security posture.
1. Immerse your Audience
When pilots are learning to fly a plane, the most effective training comes from the flight simulator. Teaching employees to practice safe security behavior isn’t nearly as complicated as teaching someone to fly a plane, but the learning principle is the same. Avoid passive training initiatives and instead immerse recipients in the experience by simulating a real-life situation. Provide instant feedback to reinforce the key points and repeat the process periodically to increase memory retention and create a dynamic security culture.
2. Keep it Focused
Security awareness programs often overwhelm employees by addressing a variety of security topics ranging from password complexity to USB policies to physical security. Focus on threats that are most likely to occur, could potentially affect your organization’s most valuable assets, and can’t be addressed by a technical control. Spare your employees the pain of having to learn about topics that won’t directly improve security or be a benefit to them.
3. Engage your Audience
For many employees, security awareness is something that doesn’t help them do their jobs. Users will do what they have to do to get through the training and get on with their day. Keep recipients engaged by starting off with a simple, specific message, and keep it going by varying the content and delivery method of your training. Make it a positive experience by recognizing those who have done well and offering support to those that need additional help.
4. Use Metrics
Traditional security awareness initiatives such as posters, classroom and computer-based training, and employee giveaways often lack measurable results. Programs that collect metrics about behavioral change can guide effective decision-making with the data to back it up. Metrics can provide statistics on user susceptibility, the effectiveness of different training efforts, and insight into attacks aimed at your network.
5. Go Beyond Compliance
While compliance is a requirement for many organizations, compliance does not equal security. Security awareness has traditionally been associated with the compliance side of security, and the tried and true methods of security awareness are good at achieving compliance. For user security training to be truly effective, it needs to be more than “check the box” compliance; it needs to focus on current threats and the evolving threat landscape.
Following the tips above will help you build a positive, evolving security behavior management program at your organization.
By Scott Greaux, Vice President, Products and Services, PhishMe
PhishMe launched publicly in 2008, and incorporated as an independent entity in 2011. PhishMe Incorporated is based in Northern Virginia, just outside of Washington, DC, with staff across the country. Our support, operations and sales teams are headquartered in our Virginia office, with additional offices in New York and London.
Our team developed the PhishMe concept based on dozens of years of experience in penetration testing, social engineering, abuse management, incident response and forensics. As our founding team looked at the results of the annual assessment model we implemented for clients, we realized that to effectively combat phishing attacks, our customers needed to combine compelling exercises with dynamic, immersive training.