Ask a roomful of IT managers and chief information security officers (CISOs) if end users are their biggest information security risk and almost every arm will shoot up across the room. Ask how many have implemented a training program to deal with information security at their company, however, and the number of hands raised will likely dwindle. Then ask how many have training programs in place where they can benchmark their results. Unfortunately, the number of hands raised usually plummets.
So, if they agree that information security is one of their biggest risks, why aren’t CISOs and IT managers doing more about security training?
Before answering that question, let’s take a look at why they should care. Phishing—targeted email attacks designed to steal personal and corporate data as well as financial account credentials—are on the rise. According to the latest numbers from the Anti-Phishing Working Group, the number of phishing attacks rose 20 percent in the third quarter of 2013.
The biggest target: Unsuspecting non-management employees, who inadvertently click on links within emails and launch phishing attacks, allowing cybercriminals to access user names and passwords, financial account information, social security information and more. It’s a big business; EMC pegs global losses from phishing attacks at over $5.9 billion in 2013 alone.
Furthermore, security firm McAfee reports that the number of malware samples found over the last year has tripled. Security officers and IT staff know the risks and understand the importance of security training. But the hard reality of it is that, despite the risks to sensitive data, there are obstacles—real or perceived—that prevent them from successfully creating programs that train employees to recognize and avoid attacks.
Overcoming the Obstacles
Let’s look at some of the most common obstacles to companies implementing security training programs, and discuss the best ways for security and IT personnel to overcome them.
Cost. Implementing an employee training program does have hard costs, both as you initially train employees and as you update training to include new types of threats. But after seeing the $5.9 billion price tag associated with phishing attacks and understanding how malware attacks can impact business, the majority of companies should be looking for ways to find the budget immediately. Training programs do not need to be expensive— they just need to be effective.
Red tape. At some companies, an employee training program just involves IT, but in others it might involve several departments, including IT, human resources and legal, as well as managers and even executives. Overcoming the red tape can be difficult; however, it’s not insurmountable with proper planning. Each department wants to understand the risks and rewards for implementing new programs. Providing each group with that information before the objections begin is the first step in gaining approval from the various groups from which you need buy-in.
No time to implement. Time is tight for IT and security departments. Alongside their day-to-day activities, IT teams are tasked not only with preventing attacks but also with handling them if they do occur. Many can’t imagine taking on another task; however, at the same time, they understand that educating employees can help prevent many of the issues they currently are forced to resolve. There are many great options to outsource the management and implementation of a security education program to minimize internal time spent on it.
No time to repeat. Training works best when it is reinforced and updated based on new threats. Making time now to train proper behavior, and reinforce that behavior, amongst employees can help prevent more significant drains on your time down the road.
No way to measure. It’s often difficult to measure behavior that you’re trying to eliminate. However, if you start with a baseline before beginning training as well as analyze results after each training session, you can determine how successful each session is and understand what messages are sinking in. You’ll also get an indication—backed up by measurable data—on which employees continue to put your company’s information at risk and which topics are least understood to prioritize future training content.
Concerns about privacy. It’s the job of human resources and legal departments to worry about the privacy and legal implications of training programs. They will naturally have questions about how these results are shared and the impact on employees if they score poorly. Collaborating with these departments to understand their concerns and refine your plan before starting the program will help you avoid fire drills mid-program.
No management buy-in. This is perhaps the most difficult—and the easiest—problem to solve. It’s difficult because winning management approval on any expenditure can be a challenge; however, it’s easiest because the facts support your case: training employees actually helps thwart attacks that can impact your company.
All of these obstacles point clearly to the need for a plan to win the approval of necessary departments and management. And, more importantly, all of these obstacles can be overcome.
Drafting a Plan
Your plan does not need to be a 20-page document. The most important aspect is speaking to your audiences about the things that matter to them. This includes talking the talk when it comes to costs and other business implications. But the heart of your plan is simple: What is the problem you are trying to solve and what are the available solutions to solve it? Start simple. For example:
1) Write down the top three problems you’d like to address with security education. These might be general security concerns, such as reducing the number of malware infections or getting employees to identify and avoid phishing attacks. They might address day-to-day operations, such as reducing the number of computers you need to clean after a malware attack. They might even deal with regulatory or compliance issues. Whatever your top three issues are, write them down.
2) Determine how you can measure progress towards solving these problems. Articulating how your company has already been impacted is a big step toward helping the decision makers in your organization to understand the scope of the problem. For example:
– How many malware infections do employees experience per month now? What is your goal to reduce them?
– How many successful phishing attacks occur in your organization now? How would you estimate the cost of these successful attacks?
– How many security-related calls does your IT department deal with each month? What is your goal in reducing these?
3) Do the math and determine the savings associated with addressing these problems.
– Set realistic goals. Sometimes a cost savings of 10 to 15 percent in these areas will be enough to get attention. If you start with a conservative estimate and exceed it, you look like a hero.
– Make sure to include the people cost. If security training costs can be offset in other ways, such as diverting employees to other functions, make sure to mention it.
– Tout any ancillary benefits. If there is increased safety for your employee’s personal identity or financial information, or reduced risk by threats coming from your employee’s personal PCs or devices, be sure to mention it.
It’s important to remember that employees who can identify, report and avoid attacks creates another line of defense for your company, working with you to keep data secure. Needless to say, providing training that allows them to spot and avoid dangerous situations should be a priority. As with any plan, up-front communications is key. Clearly articulating the problem in terms that hit home with business decision makers, setting clear goals and mapping how the business can benefit from cyber-smart employees will put you on the right course toward winning approval for your security education plan.
Jacki Williams, Product Manager at Wombat Security Technologies
Wombat Security Technologies is a leading provider of cyber security training and filtering solutions. Its software-based training solutions are designed to be engaging and effective, and have been scientifically proven to be significantly more effective than other traditional training solutions. Wombat’s anti-phishing filtering solutions have been shown to catch significantly more phishing attacks than other filters. Wombat’s products are used in sectors as diverse as finance, government, telecom, health care, retail, education, transportation and utilities.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.