[By Perry Carpenter, chief evangelist and security officer at KnowBe4]
The threat landscape is evolving with new attack vectors and cyber threats surfacing almost daily. Cybersecurity technology has come a long way too; however, security researchers are increasingly finding that most breaches are related to human factors such as phishing, which stem from poor security judgment and careless employee attitudes and not necessarily due to the limits of cybersecurity tools.
Gartner believes that time has come for security teams to balance their security investments across both technology and human-centric elements. A security awareness program is perhaps the most crucial, human-centric element in the overall cybersecurity mix. Let’s explore five key measures that can help build an effective, human layer of defense.
1. Use Compelling Content
The core element of any training program is content. People tend to retain content and stories that are relatable and engaging, that trigger the imagination and motivate them to take action. Avoid using a one-size-fits-all approach to content. Try to tailor content around different job roles and respective security maturity levels. Push content that’s timely and which aligns with the latest threats (e.g., ransomware and quishing); current affairs, or other topics of interest (holidays, tax season).
2. Win Leadership Support
Lack of leadership support can hamper efforts to deliver security messages across the organization. On the flip side, organizations with the most mature security programs are the ones that have the greatest leadership support. To win leadership support, it is important to have proof points that demonstrate the value of your program to the executive team. Having the leadership team fully onboard can have a significant impact on your program, given that security culture is often influenced from the top down.
3. Make Persistent Effort
A security awareness program shouldn’t be treated as a once-a-year, check-the-box activity. Security teams must take cues from sales and marketing and continuously try to improve their campaign assets and communications, present security messages in contextual and meaningful ways, and be persistent with their efforts. The idea is not just to build awareness, but to reinforce the message until there is a positive change in the security mindset and behavior among employees across the organization.
4. Deploy Phishing Simulations
Training is one thing; training on the job is another. Put employees in situations where they can experience real-world cyber threats to gain valuable practice with detecting, avoiding, and reporting suspicious email and text communications in a safe environment. Phishing simulations enable security teams to identify vulnerable employees and train them in the moment. This creates a more engaging and personalized experience as well as improves muscle memory.
5. Metrics, Surveys and Reporting
Surveys help the organization understand the attitudes, opinions, and feelings that employees carry towards security. They help in assessing whether the current program is resonating with the audience, or whether there are gaps that need to be addressed. Survey results are helpful in reporting progress to stakeholders, building confidence in the leadership team and winning incremental investments for your program.
6. Leverage the 70:20:10 Model
Security teams must accept that learning doesn’t happen at a single point in time during a classroom exercise. They must consider how users “feel” about the program and keep the end-to-end user experience in mind when designing it or updating it. The 70:20:10 model can help:
- Experiential (70%): Experiential training is a form of training that includes phishing simulations plus other “on the job” experiences. It also entails social and cultural aspects – things that people imbibe when they see how co-workers handle security problems, and how often they report security incidents. Think about making on-the-job experiences more interesting and engaging. For instance, games and contests; incentives such as free movie tickets, and tools that make reporting of potential scams easier, such as deploying a phish alert button or a hotline to the security team.
- Informal (20%): Informal training can include things like email newsletters, watching videos and online interviews, posting a security channel on the intranet or instant messenger, using a phishing awareness chatbot, etc. Think about all the different ways that users can be engaged without making them feel like they are being patronized.
- Formal (10%): This can involve a combination of classroom training and learning management system (LMS) modules, or online education. Using slide presentations can be considered mundane and too passive, so allot only 10% of time to formal user training.
Always Take A Positive Tone With Your Audience
Security awareness programs should never impart the feeling that the goal is to make users fail, to trick them, or expose them in a bad light; if they feel as such, then it’s possible the security team will be perceived as an adversary or obstacle. Ensure your phishing program accurately reflects the organizational culture, values, and tone that you want to reflect. Avoid setting a tone that will make employees feel judged or threatened when they fail. The point of phishing testing is about allowing them to safely build the necessary skepticism and reflexes.
About the Author
Perry Carpenter is co-author of “The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer.” [2022, Wiley] His second Wiley book publication on the subject. He is chief evangelist and security officer for KnowBe4, provider of security awareness training and simulated phishing platforms used by more than 65,000 organizations around the globe.