Back 

Improve security awareness training

   read  

  Decrease Text Size Increase Text Size

What Doesn't Work

  • Do Nothing and Hope for the Best - Only about one in  five organizations admit to this as their "strategy" against the rise of phishing. But the actual number is probably much higher.
  • Break Room Training - About 30% of organizations favor the break room approach. They gather as many employees as they can in the break room, provide lunch and have someone from IT or a security expert lecture on topics such as phishing, spear-phishing and whaling. This is certainly better than nothing, but often attendance is low and most of the audience looks upon the event as a time to make some headway on their email backlog.  
  • Monthly Security Videos - This can be done informally with videos made available via email or placed on the website for employees to view, or formally via mandatory classes. These short clips educate users on the perils of promiscuous clicking and on the many snares used by phishers to reel in unsuspecting employees. About one in four organizations gravitate towards this method. At best, this can be categorized as being little more than a superficial training program. On its own, it can’t be expected to do much to diminish the risk of data breach. It also causes training fragmentation because important topics are covered months too late.
  • Phishing Tests - This approach pre-selects high-risk employees only and sends them simulated phishing emails to see how many fall victim to the attack. This is typically paired with some kind of educational module such as links to training modules for offenders as well as short videos to view to increase awareness. The plus on this method is that it offers some kind of metric about phishing. The minus is that employees soon get wise to it and "prairie dogging" begins to happen – an employee sees a phishing test email and pops his or her head up above the cubicle to let the others know to watch out for it. This approach, then, is both limited and too simplistic.

What Works

  • Comprehensive Programs Work - Most security awareness programs are superficial at best. They may include some sensible actions, but they don't dovetail into a coordinated and comprehensive program. What is missing is an appreciation of the adversary being faced and the degree of commitment an organization has to have to stave off attacks. It is vital that the C-suite comes to terms with the extent of the threat and the sheer weight of resources the enemy is bringing to bear against naive employees. Only by doing so is it possible for C-level executives to comprehend the measures that must be taken to secure the enterprise and the vital necessity of erecting a human  firewall of informed and ever-vigilant users. The crux of this best practice is having an awareness of the scale of the problem and the resources necessary to defend against it.
  • Develop a Coordinated Campaign that Combines Training and Phishing Simulation - Training on its own, typically once a year, isn't enough. Simulated phishing of personnel on its own doesn't work. But together, they can be combined to greatly increase effectiveness. An important best practice is to intelligently integrate these components into an overall campaign. This is best accomplished by finding a platform that integrates simulated phishing and security awareness training.
  • Baseline Phishing Susceptibility - Security awareness training can be undermined due to difficulty in measuring its impact. How exactly are you supposed to prove that it obtains results? All it takes is one fresh outbreak and someone in authority can point to the event as evidence that such training dollars would be better spent elsewhere.

    This is where the baseline comes into play. It is vital to establish a baseline on phishing click-through rates so you know the percentage of users who open malicious emails prior to awareness training campaign commencement. This is easily accomplished. Send out a simulated phishing email to a random sample of personnel to find out the number that are tricked into opening an attachment, click on a link or enter sensitive information. This is your baseline phish-prone percentage. This metric can be later used to determine how effective the campaign is. Further, it provides specific numbers that can prove useful during the purchase order approval process.
  • Gain Executive and IT Buy In - To be effective, top executives and IT managers must be onboard. Thus extensive briefings before and during a training program is a must. Briefings are needed in advance to accomplish finance approval, but it should never end there. Prior to beginning a phishing simulation project, communicate to executives and iron out all political or sensitivity issues in advance. This should include HR, Legal and union representatives where applicable. Otherwise, such campaigns may be unjustly accused of targeting specific employees, undermining morale or discriminating against certain groups. Only by keeping all interested parties involved, listening to their concerns and addressing their needs can the campaign hope to succeed. In some organizations, there may be pressure to inform employees that a simulated phishing campaign is about to be launched. In those cases, where staff are forewarned, the effectiveness of the campaign is significantly reduced.

    Another aspect of this best practice is to inform executives about baseline phishing numbers so they are more aware of the extent of the problem and the uphill task facing the organization. Return to this baseline again and again as a means of monitoring results. Showcase all drops in phishing effectiveness as a way to demonstrate the value of the program.
  • Conduct Random-Random Phishing Attacks - Earlier, we mentioned prairie dogging where an employee notices a simulated phishing email and warns the others in the once about it. This phenomenon can even bring about an apparent drop in phishing susceptibility in tests that doesn't translate into the real world. Employees get used to the simulated actions of the campaign, learn to watch out for them every Monday morning and thereafter continue as normal. What you end up with is a simulated phishing initiative that has little or no impact on employee gullibility.

    This is particularly important when you consider the findings from a study by Proofpoint. It found that no company had a zero click rate from phishing attacks. While repeat clickers account for the majority of clicks on malicious links, 40% of clicks are typically one-off clickers. In other words, even the best and the brightest can be caught unawares and will click on something malicious from time to time. Prairie dogging might allow these rare but occasional phishing victims to develop complacency.

    The way to guard against this is to use what are termed random-random simulated phishing attacks. This Security Awareness Training practice entails the selection of random groups, random schedules, and random phishing templates to gain a more accurate estimate of an organization’s likelihood to fall victim to phishing. Instead of sending out the same phishing emails every Monday morning to accounting, every Tuesday at lunch to sales and every Friday evening to manufacturing, switch the tactics and schedules around by varying the groups and schedules randomly. This eliminates prairie dogging and provides the organization with a real metric they can use to determine effectiveness.
  • Personalize Emails - Personalized emails are more believable. In some cases, this can be as simple as adding the employee's  first name. But in large organizations, personalization must be taken further. For example, obtain from payroll the names of the banks used by employees for direct deposit and use that bank name in a phishing campaign. Another tactic is to split phishing email into groups such as by departments, or to tie phishing emails into topical or popular events.
  • Don’t Expect Miracles - With this type of awareness training, phishing victimization rates generally fall from the 10-25% range to about 2%. It appears that getting below that point is extremely difficult. But continuation of the campaign can keep results at or below that level, which will have a significant impact on the organization. With malware infections caused by phishing minimized, IT is able to contain remaining outbreaks more effectively as there are far less of them.

    Due to the dramatic drop in infections, other security measures have a greater chance of success. IT finds itself moving from constant troubleshooting mode to being able to move forward with projects that provide greater strategic value to the organization.
  • Avoid Witch Hunts - A common concern about simulated phishing is that the results could be used in witch hunts. Therefore, don't ever use results in this way or bring them up in annual reviews. It is best to keep results general and use them to correct and train the organization as a whole as opposed to singling out specific individuals.

    The exception to this comes once the coordinated campaign of training and phishing simulation has brought about marked results. After a prolonged series of simulations and training steps, and once the numbers have bottomed out, companies are likely to find the same small group of repeat offenders. Proofpoint noted that less than 10% of users are responsible for almost all clicks on any given wave of malicious attacks. While Security Awareness Training can push that number down far lower, there will remain a handful of individuals who continue to click despite being given every opportunity to reform.

    By this point, they will have attended several training classes, and received a thorough education on how phishing can fool them. Yet they go on being fooled no matter what remedial steps are taken. Now is the time to involve HR to take up findings with repeat offenders who show no improvement despite several attempts at retraining. To take any possible negative connotation away from 'flunking' simulated phishing tests, it sometimes works to incentivize departments to encourage their staff to complete training or retraining in an effort to achieve a 0% click rate. Those doing so, or scoring below a particular level can be awarded with gift cards or other inducements.
  • Continue to Test Employees Regularly - Even when testing confirms that phishing susceptibility has fallen to nominal levels, continue to test employees frequently to determine if anti-phishing training remains effective. The bad guys are always changing the rules, adjusting their tactics and upgrading their technologies. Therefore, training reinforcement must remain a part of the organizational security arsenal in order to keep pace with constantly evolving threats.
  • Provide Thorough Security Training - Old school security training favored a lecture or video approach. The problem with this type of training is that it can rapidly become outdated – the security landscape of one year ago is very different from that of today. It also focuses too much on theory and isn’t balanced by practical application. Security Awareness Training is interactive, balances theory and application, is continually updated, and is based upon thorough insight of how cybercriminals operate. Ideally, it will incorporate the services of an expert hacker who knows all the ways of entering an organization and all the tricks of the phishing trade. It should make sure employees understand the mechanisms of spam, phishing, spear-phishing, malware, ransomware and social engineering, and are able to apply this knowledge in their day-to-day jobs.
This training should include, but not be limited to:
  • Responsibility for Company Data - Continually emphasize the critical nature of data security and the responsibility of each employee to protect company data. You and your employees have legal and regulatory obligations to respect and protect the privacy of information and its integrity and confidentiality.
  • Document Management and Notification Procedures - Employees should be educated on your data incident reporting procedure in the event an employee's computer becomes infected by a virus or is operating outside its norm (e.g., unexplained errors, running slowly, changes in desktop configurations, etc.). They should be trained to recognize a legitimate warning message or alert. In such cases, employees should immediately report the incident so your IT team can be engaged to mitigate and investigate the threat.
  • Passwords - Train your employees on how to select strong passwords. Passwords should be cryptic so they cannot be easily guessed but also should be easily remembered so they do not need to be in writing. Your company systems should be set to send out periodic automatic reminders to employees to change their passwords.
  • Unauthorized Software - Make your employees aware that they are not allowed to install unlicensed software on any company computer. Unlicensed software downloads could make your company susceptible to malicious software downloads that can attack and corrupt your company data.
  • Internet Use - Train your employees to avoid emailed or online links that are suspicious or from unknown sources. Such links can release malicious software, infect computers and steal company data. Your company also should establish safe browsing rules and limits on employee Internet usage in the workplace.
  • Social Media Policy - Educate your employees on social media and communicate, at a minimum, your policy and guidance on the use of a company email address to register, post or receive social media.
  • Mobile Devices - Communicate your mobile device policy to your employees for company-owned and personally owned devices used during the course of business.
  • Protecting Computer Resources - Train your employees on safeguarding their computers from theft by locking them or keeping them in a secure place. Critical information should be backed up routinely, with backup copies being kept in a secure location. All of your employees are responsible for accepting current virus protection software updates on company PCs.
  • Email - Responsible email usage is the best defense for preventing data theft. Employees should be aware of scams and not respond to email they do not recognize. Educate your employees to accept email that:
    • Comes from someone they have received mail from before.
    • Is something they were expecting.
    • Does not look odd with unusual spellings or characters.
    • Passes your anti-virus program test.
    • Social Engineering and Phishing
    • Train your employees to recognize common cybercrime and information security risks, including social engineering, online fraud, phishing and web-browsing risks.











eFraud Prevention™, LLC