Can security awareness training change behavior and reduce cyber risk? CIOs and CISOs realize human error is perhaps the biggest weakness in any information security program. Attacks are becoming more frequent. Five industries — health care, manufacturing, financial services, transportation, and government — have been ranked as the most frequently attacked sectors in the world.

While many large enterprises have mature employee training programs, incomplete employee training remains the main reason organizations are left vulnerable to phishing attacks — this is the conclusion of Proofpoint’s fourth annual 2019 Beyond the Phish report.

Here are four cybersecurity threats organizations should focus on during employee awareness training programs:

TOP FOUR (4) SECURITY THREAT TOPICS FOR AWARENESS TRAINING 

1. Phishing. At the enterprise level, many organizations struggle because it is a complicated issue. Employees need to be trained to be skeptical about essentially everything. Only those links that have been received from known senders should be clicked upon; however, even that can be difficult to discern
2. Unauthorized Application Installation/Usage. Another common security threat is posed by the installation of unauthorized applications. This can be addressed by revoking administrative access for corporate devices and for most employees. A training session explaining the importance of third-party credibility and authenticity can be enough to make employees aware of the threats posed by the installation of unauthorized applications.
3. Password Practices. Guessing passwords is the easiest way of breaking into a system and it has typically been the first trick up a hacker’s sleeve. Often times default passwords for hardware and systems are not changed. Another practice that elevates risk is using the same password for different applications. This can be addressed by spreading awareness about changing passwords and using strong passwords and the part they play in keeping the hackers at bay. Modern-day application systems won’t accept user passwords that don’t meet minimal complex security requirements. 
4. Data Leakage. Data Leakage can have serious consequences. Employees often transfer files between their personal computers and their corporate workstations or allow their family members to use their corporate devices at home, and this can create some security loopholes. Address this issue through enforcement of a company-wide policy prohibiting the transfer of data from corporate devices to personal ones. Software can be installed to address Data Loss Prevention (DLP).

Even the most rigorously “secure” infrastructures can get compromised. The threats listed above are some of the most common human vulnerabilities and it is of vital importance that precautionary awareness regarding them be made widespread.

SIX (6) CRITICAL COMPONENTS OF A SECURITY AWARENESS PROGRAM 

1. Content. Ensure you develop a program that employs multi-media content. Users learn from a variety of means at different levels and different paces. Utilizing a platform that allows delivery of a wide variety of content, including gamification, will help spread awareness of the program faster. You can also match different content types to different roles in your organization.
2. Executive Support & Planning. Ensure you have support from the top of the organizations down. Security awareness programs require strong “tone-at-top”. Ensure you have a strategy and plan documented. Involve and communicate with your sponsor and stakeholder on a regular basis. 
3. Campaign Support Materials. A successful program should not be ‘one and done’, treat it as a marketing endeavor. Vary the content and materials to keep users engaged and active.
4. Testing. Phishing simulations prompt users to either click a link, report the phish or do nothing. You want to give them an opportunity to report phishing attempts and help the organization increase resilience. If they do fall for the phish, it is recommended you implement remediation follow-up training. Doing nothing is not ideal as it leaves the potential threat out there and there’s an opportunity for others in the organization to click.
5. Metrics & Reporting. Keep your sponsor and stakeholders apprised of the progress of the security awareness training program. You need to be able to demonstrate progress. Reporting is also useful for optimizing campaigns based on past results. You want to be able to see what is working well and what can be improved upon.
6. Surveys/Assessments. These types of tools can help you understand the attitudes of your organization and how well your program is resonating with your people so you can adapt. Think of it as a pulse check of subtle nuances that are different than metrics/reporting such as opinions, frame of mind, etc.

SUMMARY

Effective education is imperative as cybercriminals continue targeting individuals, making a people-centric security approach essential. Use security awareness training software that provides testing. The phish testing software should provide performance reports so that you can measure improvements in employee behavior as training progresses.

Author

Laszlo Gonc, CISSP

Founding Member and Senior Fellow, DivIHN Center of Excellence for Digital, Security and Risk at DivIHN Integration, Inc.