Security teams should stop treating users as the weakest link in security and, instead, turn them into allies in building a strong security culture. This was the message from Shelly Epps, HCISPP, Director of Security Program Management at Duke Health, who delivered a presentation this week at the (ISC)² SECURE North America virtual event.
“If you are relying upon users for your security, you’ve effectively already failed,” she said. Instead, organizations need to develop comprehensive, multidimensional programs that keep users engaged.
Traditionally, Epps said, organizations have built security programs around compliance obligations and PowerPoint-based lists. Programs tended to be punitive, turning the cybersecurity staff into the bad guys, when a rewards-based approach is better.
Developing the right culture requires empowering people by helping them internalize the need for security and understand their own role in security, she said. It helps to instill a hive mentality with everyone “working together working for the greater good.” And Duke Health has sought to accomplish this with a series of awareness initiatives, including phishing simulations, short, easily digestible videos, the launch of a virtual security academy, and an ambassador program.
Starting in 2020, Duke Health embarked on a new approach to security training and awareness. In February, the company did a phishing simulation using what Epps called the “ugliest Valentine’s Day phish.”
Users were sent an e-card that required them to click a link to see the card. “It was very similar to how e-cards work. I though e-cards were kind of done at that point,” Epps said.
As it turned out, e-cards still appealed to recipients. “We had a very concerning click rate in that phish.” Employees of all ages, roles, backgrounds and education levels clicked at a very high rate, and that included IT-centric workers as well.
So clearly there was some work to do. The corporate mandate was to conduct phishing simulations twice a year, but the security team decided to approach department members and suggest they run them more often. Some agreed to monthly simulations, others went with a quarterly schedule, and yet others opted to stay with the semi-annual schedule. The results clearly showed that those conducting monthly tests had the biggest drops in click rates, Epps said.
Right after the first organization-wide simulation, the pandemic hit causing the security training team to make adjustments including, for example, adding a focus on securing home environments.
The team also launched a video series that addressed relevant security topics in three-minute chunks. So that everyone could relate to the content, people of different ages, backgrounds and different physical abilities were used in the videos. This approach, Epps said, was well received because people could see themselves represented in the videos.
To maintain relevance, the security training team analyzes statistics of how many people watch the videos and how many drop off so they can learn what works best to keep viewers engaged.
Another initiative was the virtual security academy. Epps’ team put together a curriculum that in the first year focused on “train the trainer” by acquainting IT staff with seven domains of security. In the second year, non-IT staff were invited to participate. Epps’ team employed a story-telling approach using real-world examples to convey information. The third year is still in the planning, but Epps said it may focus on (ISC)² entry-level domains and exam prep.
To recruit security ambassadors, the team turned to 170 users who completed all training modules in a phishing awareness program. The team used gamification and swag rewards to draw people to the training, and managed to get 2,100 employees to participate.
The most committed attendees – those who completed all 20 modules – were invited to become ambassadors. In that role, they are asked to help the security team evangelize the security message by suggesting ideas for phish simulations and videos, and by talking up security in general.
With their help, Epps said she hopes to see a huge amount of engagement in the third year of the program. Her team, she said, is never going to stop in its efforts to get everyone across the organization to embrace a security culture.