The central goal of security education is to modify an employee’s behavior so he or she doesn’t fall for social engineering — the art of manipulating, influencing or deceiving somebody to take an action that isn’t in either his or his organization’s best interests. The most common examples of social engineering are phishing and spear-phishing attacks, which use phone, email, postal services or direct contact to try to trick people into doing something harmful. “Interactive computer-based training is a central component of a comprehensive security education and behavior management program,” according to Gartner. “It is a mechanism for the delivery of a learning experience through computing devices, such as laptop computers, tablets, smartphones and Internet of Things (IoT) devices. The focus and structure of the content delivered by CBT vary, as do the duration of individual CBT modules and the type of computing endpoints supported. Understanding the diversity of people in the organization is as important to security and risk management leaders as an understanding of how security fits into an organization’s larger goals.”
The aim of most social engineering schemes is to get somebody to click on a hyperlink or open an attachment sent in an email that will then give the bad guys access to the user’s computer. Showing a trainee how to recognize that out of nearly 20 types of files an email attachment could come in, the only one that is absolutely safe to open is a file ending in .txt can be a security game changer. Providing short, three- or four-question quizzes at regular intervals during a training module helps employees review and reinforce their understanding of particular training elements and can increase their trust in the impact the course is having and motivate them to complete it, thanks to congratulatory messages after each quiz.
Human beings can become an organization’s last layer of defense only when security awareness training demonstrates to them how susceptible they are to social engineering, which is considered to be the single greatest security risk in the coming decade, much more than electronic hacking. The FBI has reported a 2,370 percent increase in exposed losses between January 2015 and December 2016 from social engineering schemes such as CEO fraud, also known as Business Email Compromise (BEC). A total of more than $5 billion has been stolen from businesses through cyber theft from October 2013 through December 2016, with an average loss per incident of $100,000 and are projected to top $9 billion in 2018.
Training exercises that tell a compelling story and put the trainee in the position of somebody who has been targeted, such as a company’s controller, engage all the senses by making the trainee choose the best course of action in response to a suspicious email.
These exercises teach employees to carefully check all the details in an email for telltale signs of potentially malicious content: a “From” address with a misspelling, a hyperlink that when you pass your cursor over it reveals the actual URL destination you will be taken to (and that will infect your computer), and the suggestion of negative consequences if an action isn’t taken quickly and before confirming the email’s veracity.
Learning that dangerous emails often appear to come from reputable organizations or from someone you know and trust within your own organization drives home the lesson: think before you click. Making training interactive ensures it takes deeper root in an employee’s mind. The ultimate goal of simulated phishing attacks is to train people’s reflexes so they learn the optimal response to such emails.
Security education should start with phishing emails that use a method that is very easy to detect, and then gradually escalate to more challenging simulated attacks in order to fully inoculate employees against all kinds of phishing attacks. This will help them understand how persistent bad guys are in sending increasingly sophisticated attacks until they can trick somebody. The idea is to repeat variations of the exercise continuously so a trainee has a chance to fail in a safe environment and be redirected to a form of corrective behavior.
How to change organizational culture
Changes in behavior cannot be sustained by an organization’s culture without continuous reinforcement. For example, you can reduce the rate at which an employee clicks on a phishing email link to the low single digits from an initial 27% average percent level after training and repeated testing.
First, the stimulus for reinforced behavioral patterns disappears once you take away the immediate feedback an employee gets when s/he successfully recognizes a simulated phishing attack. Second, on the organizational level, the natural churn of personnel as some people leave the organization while others join it translates to a smaller percentage of employees who have been trained rigorously in security awareness.
Then there is behavioral drift over time because nothing is being done to help employees sustain new habits they have learned regarding an approach to emails they receive. Think of seasonal circumstances that can push against an employee’s heightened security awareness and his
Recommended Action Items
1. Be realistic about what is achievable in the short term and optimistic about the long-term payoff.
If your goal is behavior change, focus on 2 to 3 behaviors for 12 to 18 months at a time. You can’t
effectively train on everything.
2. Plan like a marketer, and test like an attacker.
Starting with communications such as executive messages and videos, department manager messages and security town halls, conduct phishing and social engineering testing through LMS modules, and reinforce through regular newsletters and digital signage.
3. View Awareness through the vision of organizational culture.
Focus on understanding the different personalities, drivers and learning styles within your organization. Complete a list of recommended tasks that are designed based on feedback in your company’s staff questionnaire. This will let you personalize your approach and get the most out of your Security Awareness Program. Tasks may include engaging your organization’s stakeholders, creating and completing a baseline phishing campaign, communicating the Security Awareness Program to your employees, reviewing and selecting a primary training module, and creating training campaigns for your quarterly training modules.
4. Leverage behavior management principles to help shape good security hygiene.
Embrace best practices such as (a) formulating goals before starting, (b) getting the executive team involved, (c) prioritizing and making your messages and training relevant, (d) phishing frequently, at a minimum of once a month and (e) testing frequently to build security reflexes.
5. Have a vision of what “good” looks like for your organization.
Build a network of “security champions” inclusive of all roles and geographic regions across the enterprise. Present to candidates the role of a champion as a developmental opportunity and integrate it into performance and career development plans. Changing employee behavior to be less susceptible to social engineering requires a consistent and
repeatable approach to security education. Security awareness training done right engages users and moves their natural “reflexes” from being unaware to being proactive and competent in identifying potentially hazardous social engineering tactics. Successful behavioral change starts with clear communication to employees on why security education is important that also aligns with an organization’s unique culture and workplace dynamics. Rolling out a realistic security awareness training program will empower users to protect themselves and be part of the solution in fortifying an organization’s last layer of security.
Ready to Get Started?
We can set you up with a free Security Awareness Audit which will show you some of the critical interventions and awareness gaps are. We will together to outline the steps needed to create a fully mature training program . Call us at 905-524-2001 or email us at email@example.com to get a free consultation. You’re just a few minutes from taking steps to enhance and train your last layer of defense! Give us a call.