The Best Tools & Techniques for Employee Security Awareness Training
Phishing simulation training? Audits? Incentivizing training? We talked to 18 infosec leaders and asked them what the best tools and techniques for employee security awareness training are.
18 Security Leaders & Experts Share the Best Tools & Techniques for Employee Security Awareness Training
From cyber hygiene best practices to avoiding phishing attacks and social engineering attacks, the dangers of file sharing and cloud storage services, and more, there's a lot for employees to be aware of when it comes to security. Add regulatory compliance into the mix, such as GDPR, and it's no wonder employees have a hard time keeping up. That's why security teams need to make employee security awareness training a priority, and given the ever-evolving security landscape, it shouldn't be a once-and-done thing.
To help companies develop the most effective employee security awareness training programs, we reached out to a panel of InfoSec leaders and experts and asked them to answer this question:
"What are the best tools & techniques for employee security awareness training?"
Meet Our Panel of Security Leaders:
Read on to find out what our experts had to say about the best tools and techniques you could be putting to work to improve employee security awareness training.
Perryn Olson is the vCIO & Marketing Director at My IT. He is a sought after B2B marketer and business advisor who understands the impact both strategy and technology can have on a company's growth and bottom line.
"The best technique for employee security awareness training is periodic short trainings..."
As an IT firm, we support thousands of users and we added a cybersecurity awareness training for our clients two years ago to bring visibility to the front lines. Many of our users were unaware of the risks and how they could protect the company. Just being conscious of the risk has drastically reduced the number of user-caused malware and ransomware incidents.
Since the initial training, we found short 2- to 3-minute quarterly trainings are the best way to keep cybersecurity top of mind and to get the users to do the training, especially the executives. Our completion rate for trainings under 3 minutes are over 85% compared to under 50% for trainings 15 minutes or longer.
Robert Siciliano, CSP
Robert Siciliano, CSP, is a #1 best-selling Amazon.com author and CEO of Safr.Me. He may get your attention with his fun, engaging tone and approachable personality but he is serious about teaching you and your audience fraud prevention and personal security.
"The current go-to security awareness training standard revolves around..."
Phishing simulation training that informs and educates the user of any mistakes in real time. Further, providing licensed video-based e-learning courses where the employee can learn at their own pace and has follow up quizzes has added advantages.
A New York native, Victor graduated Western New England College with a focus in computer information systems and business administration. As the CEO at Proven Data, Victor utilizes his 15 years of industry experience and expertise.
"As a business leader, I understand the difficulty when it comes to selecting the right tools and techniques for security awareness training..."
Having a relationship with industry-leading security training organizations such as KnowBe4 can have a positive influence on the success of your data security policy. Creating a more inclusive culture where employees take pride in cybersecurity will set your business apart and construct an effective foundation that will be critical in the long-term success of the company. Furthermore, our team recently participated in an Escape Room challenge hosted by Living Security, where participants worked together to solve complex and intricate puzzles to collect clues to win an objective. These security-oriented live experience events are an excellent technique to improve employee security awareness and establish more participation amongst team members. These exercises have some great educational elements included in the programming such as password management and practical cyber attack prevention. It's such a great method of building teamwork, and I think more organizations should experiment with these awareness training sessions.
Lisa Chu is the CEO of Black n Bianco.
"Security is more than just a technical issue because of your employees..."
Their knowledge and awareness play a critical part in ensuing your data are safe. This is why every business must have a security awareness program. The goal of the program is to increase the employees' understanding and knowledge of common security practices. It must be implemented across all departments and employees, because everyone needs to be on the same page. Security is just like the internet and is constantly changing, so it must be reviewed on a regular basis to keep your employees updated and informed. For our security program, I created a checklist of tasks that needs to reviewed on a monthly basis. This practice helps my employees refresh their security updates, and it becomes a part of our company organizational culture. This practice also lets our new employees understand how seriously our company takes security. While our security training program may be ongoing, we never use videos or PowerPoints. I find them to be very boring and ineffective, so we try to use a more engaging approach. Through trial and error, I have found that Q&As, discussions, and real training is more productive and efficient. While having strong and dependable security protection is necessary for every business, the security systems are dependent on the people that use them. Don't underestimate the importance of a strong and effective security awareness program.
Jane Muir is a Miami attorney who focuses on commercial litigation, contracts and general counsel. Her diverse experience includes enforcing a variety business contracts and rights, and recovering assets. She has been recognized with numerous honors, such as the Florida Bar's 2015 Young Lawyers Division's Lynn Futch Most Productive Young Lawyer Award.
"The obvious way to raise employee security awareness is..."
Through establishing guidelines, training, and auditing employees for compliance on a cyclical schedule. But sometimes, people and organizations have to learn the hard way. I have recommended that clients employ ethical hackers to expose their weaknesses and then present their findings to the group. These professionals understand how to look for vulnerabilities. There is nothing like personally experiencing a breach to teach employees to be careful.
Lauren is an SEO specialist at Shred Nations, a company that helps people and businesses find document shredding service solutions. She keeps up-to-date on the latest security tactics for small businesses and frequently writes about them in the Shred Nations blog. Outside of work you can find her hiking in the Rocky Mountains.
"One of the most difficult challenges to overcome during employee security awareness training is..."
Getting people engaged in the material. Each organization will have a different means of managing security, but the most important thing any business can do is provide clear, actionable tactics for employees to follow and to continually reinforce these tasks.
Have a precise plan and disseminate the rules to everyone. If you implement a policy that requires employees to change their passwords every few months, send out regular emails as reminders. If you want to educate employees on email scams, have real world examples ready with actionable tips to help employees spot fake emails.
Keeping security at the forefront of employees' minds will take effort from management, but it is a surefire way to keep compliance up and keep your company safe.
Michael Brengs is a recognized identity management expert and industry speaker who has been has been deploying identity management solutions for 20+ years and is currently a Managing Partner with Optimal IdM. Mr. Brengs attended the University of South Florida where he earned a degree in Management Information Systems and is a Microsoft Certified Professional.
"It is surprising how many employees don't know about..."
Cyber security scams like phishing or ransomware. The 2017 Verizon data breach report states that 81% of hacking related breaches leveraged either stolen and/or weak passwords. And that makes sense, because the human element of any security system will always be the weakest link. But educating employees about security vulnerabilities like e-mail phishing, ransomware programs and social engineering can reduce the risk of these security issues.
One of the best ways to educate employees about security threats is to make security awareness training mandatory and include it as part of the company's annual training requirements. Whether it's a video, a class, or even a white paper that needs to be read with an employee sign off of understanding, anything is better than nothing when it comes to the safety of your employees and your network.
Courtney H. Jackson
Courtney H. Jackson is a seasoned IT professional with over 20 years of certified hands on experience. She holds a Master of Science Degree in Information Security and Assurance, in addition to nearly a dozen IT career certifications (e.g., CISSP, CISM, CEH). She worked an Executive role as a Chief Security Officer (CSO) for a multi-million dollar company for over three years before starting her own private cyber security company, Paragon Cyber Solutions LLC, based in Tampa, FL.
"The best tools & techniques for employee security awareness should be interactive..."
Employees should be provided with scenario-based training so they can understand the different types of attacks they may be susceptible to including, but not limited to: phishing, social engineering, shoulder surfing, and even eavesdropping. Spend one lunch hour at a local coffee house and you will likely hear some company proprietary information that's not meant to be discussed openly in the public. Employees need to understand how critical business information is along with the concept of "need to know" to ensure information is only shared with appropriate personnel.
The interactive training can be online requiring the employee to read through each scenario, assess the situation, and select the best course of action. Outside firms can be hired to attempt social engineering of employees and record their results. Another key factor is to have proper security policies and procedures in place to make employees aware of what's expected along with any consequences for not following the rules.
Jackie Rednour-Bruckman is the CMO of Daxima.
"After many years of working at tech companies..."
The tried and true is to have a training video and reading material that every staff member must sign off on and give that sign off to HR that they have read or watched the training materials on best practices for computer, mobile device, and security protocol. In this day and age of mobile device management and constantly connected or remote workers, one back click or one phishing email can take an entire company down, breach major data, and ruin reputations in an instant. Have a clear and concise policy and escalation procedure and tips and directives easily and regularly pushed out from IT is absolutely necessary and the most effective. Having a Single Sign On (SSO) permission set up that can be easily killed by an IT administrator from any networked device is a good strategy to have as well so permissions can be granted and taken away immediately depending on the type of attack, virus, etc.
Brian Engle is the CISO of CyberDefenses.
"When choosing the right cyber attack education for your employees..."
You first have to look at where your company may be more vulnerable. For example, According to Cofense research, more than 90 percent of successful cyberattacks happen through phishing emails. Then in a distant second is malware data breaches which were installed via malicious email attachments. Two easy items to cover during an employee training should include:
To verify suspicious or an unknown emails' authenticity: Take your time to respond to emails, both from known and unknown sources. Avoid immediately clicking on any URLs within the email.
Double-check URLs: Fake URLs often have errors. Look for a compromised URL that may differ from the same website or comes from a domain that is not the same is a commonly known site.
Adnan Raja is the Vice President of Marketing for Atlantic.Net, a web hosting solution that offers Cloud, HIPAA-Compliant, Dedicated, and Managed hosting.
"Employee security awareness training should be a part of your company culture..."
The more widespread it is at your company, the more people will buy into it. Try having your CIO or IT manager included during the onboarding process to really drive home to new employees the importance of security at their new place of employment. For long-time employees, ensure your message is being passed on through their team leaders. Try to stay away from long emails and memos that a lot of employees will skim the first couple of sentences before deleting. Instead, try creating some videos, or maybe hang up some infographics in main areas of the office, like the break room, near the water fountain, and even in the restroom. Even if your employees aren't that interested in security, repeatedly reading phrases and actions in visual form will help them remember said messages when something out of the ordinary occurs online.
"In today's digital age, security awareness training is..."
Critically important for employees. One of the best ways to capture your employees' attention is by incentivizing training and practice. There are three incentives that motivate most employees: money, time off work, and free food. With a combination of all three, you can create a captivating training experience. For example, have a half-day event with catered food, where employees get the other half of the day off as an incentive for being in attendance. Beyond the actual training experience, you can continue rewarding employees for implementing what they learned. An example of this could be employees who change their password every 90 days without you having to ask them receive a gift card or a free lunch.
Ben Stukes is the Security Analyst for 24By7Security, LLC.
"I've found that in-person lunchtime training sessions are the best..."
1. It's midday; a lot of people are looking for a break from the routine.
2. It's not too early in the day where they're too busy, and not too late in the day where they're burnt-out and it's hard to focus.
3. Lunch is provided. Who doesn't like lunch?
4. In-person training gives me an opportunity to make it more interesting (e.g., real workplace scenarios), and it gives them an opportunity to ask questions.
5. At the end, I always end with a quick quiz.
Terence Jackson is the Chief Information Security Officer at Thycotic. He has more than 17 years of public and private sector IT and security experience and is responsible for protecting Thycotic's information assets. He leads a corporate-wide information risk management program and identifies, evaluates, and reports on information security practices, controls, and risks.
"As 2019 begins, CISOs are planning out their strategies for the year..."
Almost all of these strategies include security awareness training. We've all had to sit through the mundane annual security refresher (Death by PowerPoint) that most users click through to get to the end, answer a couple of questions and then click the submit button. Sound Familiar? Is this really effective? I dare say not.
Security awareness training shouldn't be a one-time annual event. Employees are often the first line of defense. Hackers' tools, tactics and techniques don't just change once a year. Training programs should be continuous, adaptive and engaging. A robust program should not only include education, but also activities such as phishing simulations and games...yes, games. According to a 2015 research study, 155 million Americans regularly play video games. According to this same study, 75% of learners would be more engaged if learning included gaming.
Summing it all up: a security awareness training program should not include Death by PowerPoint but instead engage users with dynamic content, be continuous and something that will equip and empower users to communicate with security year-round.
Carlos Lapão is a chief technical officer at APT LTD, where Carlos manages IT team and leads the development of next generation payments solutions for UK market. When not killing it at work, Carlos loves bike trips in nature and taking dramatic landscape photography.
"Non-IT staff usually don't realize the real threat of..."
Irresponsible data handling. The security team should produce a cybersecurity guidelines document and after briefing staff on it, I think the best technique would be to show them real-life examples by actually doing "fake" secret security attacks, which will show all the employees how easy a target they might be. The best method is to hire an accredited security company, which then will do phone or email phishing attacks. The more errors and mistakes staff do in the "training" period, the more and quicker they will learn, so the real attacks can be prevented.
After working in the financial industry for several years, Stephen Hart left his role as Chief Financial Officer at WorldPay to launch the UK's first payment processing comparison site, Cardswitcher. Nowadays, helps SMEs save money on their payment processing costs.
"Use gamification to your advantage..."
You stand more chance of the information conveyed by your training being absorbed by your employees if you make it fun for them. Gamification: adding elements of play with a competitive edge is one of the most effective ways to do that, helping to emotionally invest your employees in the training and keep them engaged in what can be quite a dry subject.
Tony Gee, Associate Partner at Pen Test Partners, has over 13 years of security experience. He has worked as an internal blue team consultant within the finance industry, for the technology partner for the world leading Oyster card system, and more recently as an external security tester.
"According to recent reports 88% of data breaches are attributable to human error..."
And the only way to combat this is through effective security awareness training. Yet this is often done badly. Issues with security awareness training include:
- Lack of relevance: Yes, BEC and CEO Fraud are real threats but who are they relevant to? Usually just a few staff members and predominantly the finance dept. Failing to connect with the employee with the right message can quickly turn off their attention.
- Bandwagonism: Avoid the temptation to use big news story attacks such as Wannacry as examples. Again, this lacks relevance for most of your audience.
- Putting policy first: While providing policy-based training may tick the compliance box, its unlikely to cover the cutting edge when it comes to evolving threats. It also makes it harder to provide regular topical security training.
- Control-based: Blanket bans on certain working practices are a sure-fire way to increase the use of shadow IT and fail to recognize a genuine user need.
- Work/life balance: Don't differentiate between office and home IT issues.
To combat these and to perform security training effectively, security professionals need to:
- Tailor training: Focus on the shared experiences people have to provide relevance, such as their email or social media account and use audience participation to add value by running some employee email addresses through HaveIbeenpwned?
- Be open: Share recent attacks the organization has weathered and even share information on those that have been successful but be sure to anonymize personally identifiable information. This should not be a name and shame exercise.
- Create a winning combination: Combine policy with real-world examples and personally targeted training to resonate with the audience. Provide real-life demos such as setting up attachment based phishing demos or use Wi-Fi Pineapple to show what can happen with a fake Wi-Fi access point or how passwords can be stolen with captive portals. Show how social media can lay staff open to attack such as through over-sharing information and give "top tips" on passwords and blocking tools. For mobile phone use, focus on quick wins initially, such as increasing the PIN from six to eight numbers and show how Wi-Fi and Bluetooth promiscuity can be abused.
- Make it fun: Use marketing to promote the event with flyers and lead-ins. Offer food and hold lunchtime sessions. Don't be afraid to satirize yourself.
- Say yes: Staff generally behave security-badly when they have a need that you've not provided a solution for. Try to offer support for people's problems and give them solutions to prevent work arounds i.e. "Can you do x before you use that service?" (e.g., encrypt before uploading to Dropbox). Consider hosting drop-in clinics for IT issues that cater for work and home devices.
- Follow -up: Work out how staff actually digest information (not just how internal communications think they do), be that with email, instant message, intranet, etc., then use that to communicate regularly.
Matt Baglia is the CEO of SlickText and a stickler for online security.
"Get employees to sign up for security training via text alerts..."
So many employees tune out corporate messages. A lot of times messages get filtered to an inbox that is rarely checked. Use mass texting to send out reminders to register with a link to a registration page. The same tool can be used to remind employees to attend their training.
Regularly test employee retention with a quick survey. It's hard to know how much your employees actually picked up from the training, or how much they're integrating on a daily basis. By texting a quick survey once a quarter you can identify common security risks before they become huge issues.