Because humans are sometimes the biggest security vulnerability in your network, it’s important to implement a security awareness training program to help mitigate their weaknesses.
What doesn’t work
In many organizations, the security awareness training is either given to the employee when they come on board, or conducted on a yearly basis. It is a boring, 8-30 minute video, with a poorly written quiz at the end. Employee’s who take this type of training have shown they have completely forgotten their training 30 days later. What’s worse is some employees who put the video on and do something else while waiting for it to finish and not pay attention at all. This type of training is simply ineffective.
Get up close and personal
It is much more time consuming and expensive, but still cheaper than the fallout of a major breach. Your security awareness training should be conducted in a classroom like setting and be 30-90 minutes long. The presenter should be engaging and inspiring, and should encourage classroom participation. There should be a number of difficult challenges that employees can do to try to safely navigate through their daily lives. Such as, having the users go to look-alike websites like goog1e.com to see if they can identify the problem. They should be given a bunch of phishing emails to see if they can detect what’s wrong with them. Everyone should have to take these classes all the way up to the CEO since they are one of the biggest targets.
The training should be tailored to the employee’s position. The database admin will likely need different security awareness training than the front desk receptionist. By trying to make a blanket security training curriculum for everyone is a waste of money and time for both the employee and the employer.
See something? Say something!
If your employee sees a security problem (such as a phishing email), are you confident they know who to report it to? There should be frequent gentle reminders of what is appropriate to report and to who. These reminders could be posted on all doors in and out of the building, posted prominently on an internal website, or just sent quarterly to everyone in an email. The more people are aware that your company takes security seriously, the more likely they will report issues.
A growing issue is phishing emails. You can and should conduct your own phishing campaign to identify who needs more security awareness training. This could be sending a mass email to everyone in the company that has a number of signs of it being a bad email and it asks them all to click a link. Then the security team monitors who clicks the link. This is also a good way to test to see if people are reporting problems to you when they see it.
Be an Advocate Not an Enemy
Tess Schrodinger gives some great advice in her talk at AIDE titled Do You Want Educated Users? Because This is How You Get Educated Users!. Here are a few of my favorites:
I actually bought a spy camera once and put it at the facility. Then I said “whoever finds the spy camera first and brings it to me wins a prize”. … And suddenly, everyone became experts on what a spy camera looks like and where to look for one and how to find one.
Have the FBI help you do some training. Make some popcorn and have your team watch Game of Pawns, a short story about integrity at the intelligence level created by the FBI.
Make your security awareness training sessions so useful that leaders and directors attend because they find it useful. If they come to the training because they find it helpful and meaningful, others will follow. Also, by getting them on your side, you will have approvals for more training or a larger budget.
Hang security awareness posters up all over the office in key locations where people are likely to stand around.
Internal bug bounty
Bug bounty programs have now grown to the point that even the US Department of Defense has one. The reason why these work is because without it, what motivation does someone have to report the bug to you? With a bug bounty program, you now incentivize them to report it to you for a monetary reward.
An internal bug bounty could be something like this. Every quarter, the company will award $100 to the best security issue reported. Now you are incentivizing your employees to report issues to you when they see them. You’ll be surprised some of the things you may see.
People may report:
- Alternative ways into the building that don’t require a badge
- Way’s to get around a proxy if you have one
- Way’s to access data without proper authentication
- Method’s on hiding internet usage or activities the company does not condone
- General things people shouldn’t be able to do, such as going to websites that are against company policy
- Poor encryption used for a specific application. Often our browsers warn us, but we do nothing about it.
For $400 a year, it’s worth enacting an internal bug bounty program to crowdsource your employees to finding the company’s weaknesses.
Employees may be getting a yearly bonus or raise. Perhaps a portion of this can be held back if the employee doesn’t complete the mandatory training, or if they fail the test phishing campaigns.
If you’re clear and upfront about what it takes for your employees to do in order to earn their full bonus, you’ll be surprised what lengths people will go to in order to get it all. Where I work, my health care is partially held back until I complete certain biometric screenings and yearly checkups. Even though I’m healthy and have a fear of needles, I still make the appointment, drive to the location, and get poked, just so I get the full amount. To me, it’s a big effort. If you tell people their bonus will be held back unless they pass the various mock phishing campaigns, they will take it much more seriously and put a lot more effort into it then they would without the incentive.