People in IT know the importance of security training. If employees don’t know how to avoid crucial mistakes, the result could be an expensive breach. Knowing that training is important, though, isn’t enough. Too many programs do little or nothing to improve people’s security habits. Successful security training requires a clear purpose and effective techniques.
Know Your Goals
It’s common to talk about “security awareness and training,” but that conflates two different goals. Awareness is just the first step. It means knowing that there are problems to deal with, but not necessarily having the ability to deal with them. Employees need to know that spam, password theft, and malware pose serious risks. Awareness motivates training and keeps its results from going stale. But it isn’t a substitute for acquiring the necessary skills and habits.
NIST 800-16 describes awareness and training as a continuum. The training aims at “relevant and needed security skills and competencies”. In a short session, instilling some awareness may be the best you can hope for. If the aim is a serious reduction in incidents stemming from user error, you need to train people in some real security skills.
Making the aim as specific as possible lets you determine the kind of training which is needed. It might include one or more of these goals:
- Protection of user accounts against hijacking.
- Prevention of malware downloads resulting from a phishing email.
- Compliance with regulations, contracts, and policies.
- Protection of confidential personal information and business trade secrets.
- Avoiding information leaks through insecure communication and data transfers.
When you have a list of goals, you can decide what changes in employee behavior will achieve them. That defines what the training needs to cover.
Know Your Audience
You know how important the technical details are. You’d love it if the employees understood them. But for the most part, they don’t care, and it would take too long to get them to understand. A “salted hash” is what they hope the cafeteria isn’t serving.
The narrative is what gets them interested. Start with stories that are exciting and frightening. Red Riding Hood would have been safer if she hadn’t told the wolf where she was going. The people in accounting will be safer if they don’t give information to spammers. That’s just awareness, perhaps, but it’s the awareness that will pull them in to learn more. They’ll want to know how to spot the big nose, big eyes, and especially the big teeth in time.
The story can start with a common mistake, such as logging in on a look-alike site. It doesn’t need a full explanation of how domain spoofing works, just a plausible example. From there it can go on to show how the bad guys gain a foothold in the network. The aim here should be to show a succession of consequences, not a detailed explanation. Think of the military’s “Loose Lips Sink Ships” training videos.
It doesn’t hurt if the villains are cartoonish and melodramatic. However, the person making the mistake shouldn’t look blatantly stupid. Doing that will just make people think, “Oh, I’d never do that.” The message should be that even smart people will make mistakes if they aren’t careful.
Recruit Your Champions
Making a security training program work requires getting key people on your side. If employees are just yanked away from their desks for training and then go back to doing what they did before, it won’t have much of a long-term effect. Long-term improvements come from a change in the business’s culture.
Usually, the HR department is responsible for training programs, so working closely with them is valuable. Can they offer incentives for good work, and are there consequences for allowing data leaks? An ongoing awareness program will help to make the training stick.
The marketing department has the know-how to create an internal security campaign. Posters help people to keep security in mind. Having a “security awareness week” for the whole company doesn’t hurt. It has to be engaging and perhaps a little scary, but it must never be boring.
In the course of the training, you’ll find that some people really get it. Work with them so they can become security champions in their departments. They’re the key to building a security-oriented culture.
Carrots or Sticks?
The threat of punishment isn’t a very effective training method. It teaches people to cover up their mistakes and not get caught. They should be encouraged to report any slip-ups they think they’ve made so that IT can quickly check for problems.
Shaming is just as bad as punishment. It promotes resentment, not better security habits. This doesn’t mean people shouldn’t be taken off tasks when they show a lack of responsibility, but that’s a matter of the company protecting itself, not a way to teach better work habits. Short of serious matters, it’s more useful to point out issues quietly and encourage people to avoid future mistakes.
Even better is rewarding accomplishments. Gamification is a good way to motivate people. As a simple example, a password meter gives people a sense of gratification when they create a new password and see it go from “Weak” to “Super Strength” as they type.
Sample phishing emails help to test people’s habits. They should vary in what they test, with traps such as enabling macros on an unknown file, logging in to a spoofed site, or requesting confidential information by email. Those who get tricked need to get a reminder. Equally important, the ones who report the “scam” should get visible recognition. Departments can have contests for who has the lowest percentage falling for the trick. (Sorry, IT doesn’t get to play.)
Having the Best Training
However good your current security training methods are, there’s always room to make them better. AgileSecurity covers onboarding, reporting, training, and vulnerability testing. We offer education and workshops, or we can help you to set up the most effective security training program if you refer to run your own. To learn how we can help you to secure your business, schedule a call with a cloud advisor.