Cybersecurity awareness training. Three words that often make the eyes of employees — and infosec pros — glaze over.
Several sessions at the MapleSec virtual cybersecurity conference on Tuesday gave valuable advice to organizations on how to make awareness training work. Here’s a roundup of what speakers said.
Many training sessions are “pretty boring,” said Jon Lewis, a product marketing specialist at the Canadian Internet Registry Authority (CIRA), which in addition to patrolling the .ca domain sells an awareness training service.
“We’ve been beaten to the ground with mandatory training” for a variety of things in organizations, he said. “I personally believe awareness of cybersecurity problems is high, but people are still doing bad things, and I think it boils down to training not being super-engaging.”
It doesn’t have to be glitzy, he added, but training does have to be engaging — and perhaps with a little wit.
An example: As part of a regular phishing test for its employees CIRA created an email about a parking spot lottery seemingly from the management of the downtown Toronto building where it is headquartered. The email had the management company’s logo, a colourful map of the possible parking spots — in short, it looked very convincing. Employees were asked to do click on a link and enter personal information to be part of the lottery for the parking spots.
Apparently, enough of the staff were fooled that the phish became a “classic,” said Lewis.
However, he cautioned, make sure such tests are appropriate. One company ran a phishing test offering employees a chance to earn a bonus by clicking on a link and entering their usernames and passwords. Unfortunately, the “contest” for bonus money ran just after a large number of layoffs. The test “burned a bunch of bridges” with management, Lewis said. Do a test like that “and your [awareness] program is dead.”
Several speakers mentioned the importance of regular awareness training — at least once a quarter.
“Don’t make people feel stupid,” advised IT World Canada CIO Jim Love. Let them know mistakes happen to everyone. In fact, if you’re a trainer share examples of some stupid things you’ve done, he said.
Awareness training should be part of the organization’s fabric, Love added. For example, include some advice for a few minutes during a team’s weekly meeting. It’s also important, he said, to have executive participation in training. This can range from a short video from an executive to walking around the office chatting with staff and talking about the importance of being security-aware.
He also urged infosec pros to build coalitions of support for security training with other groups in the organization.
This was echoed by Brennen Schmidt, cybersecurity author and member of the board of the Mackenzie Institute. The COVID crisis is an opportunity for IT to other departments about delayed cybersecurity projects, such as a mobile working strategy.
David Shipley, CEO of Fredericton, N. B.-based Beauceron Security said there are five parts to creating a good cybersecurity awareness plan:
- Understand what regulatory, legal and contractual obligations the firm has to protect sensitive data.
- Create a baseline of activity and knowledge to measure progress against. Do a survey of staff — what do they know about security, what don’t they know, what are they doing wrong (passwords too simple, what percentage will click on bad links).
- Create an awareness program based on what the organization has to do, and what it needs employees to learn. Use a wide range of tools — personal training, online training, posters, newsletters etc. But content specific to your organization.
- “Everyone’s seen the generic password video advice over and over again,” Shipley said. “But if you can talk about your organization’s approach to passwords, why it is in place, the policies and tools then people will be ready to buy into it.”
- Use tools like phishing simulators — some of which are free — to shape behaviour
- Reinforce good behaviour. Training has to be regular.
Shipley said awareness training programs often fail because they are seen to be driven by the IT department, they focus too much on phishing test click rates and success is defined by useless metrics like the number of meetings held with staff.
It’s important staff not be punished for failing tests, he added. Staff should understand that training is about learning from mistakes.