Do You Offer Security Awareness Training?
An hour-long lecture once a year doesn’t do much to train your employees on security awareness issues.
A recent Wombat report revealed that in addition to the ever growing problem of phishing, employees across industries struggle with oversharing on social media, unsafe use of WiFi, and company confidential data exposure. Those ubiquitous posts pose serious risks. In order for awareness training to work, it has to keep everyone in the enterprise aware of security issues.
Security awareness needs to be based on both the skill set and the industry sector. Josh Grunzweig, threat intelligence analyst, Unit 42 of Palo Alto Networks, said, “Many hospitality employees are using POS terminals as a normal computer—checking email, browsing the web, posting on Facebook. Those terminals should only be used for financial transactions.”
When assessing the success of security awareness training, it’s important to be realistic about expectations around changing human behavior. “A lot goes into putting technical controls in place so that attackers don’t get into where they shouldn’t be,” Grunzweig said.
Chris Weber, co-founder of Casaba Security said that “Phishing attacks are pretty measurable. You give folks a phishing workshop, then go and run a phishing testing campaign and see how many people fall for the lure and how many people report the attack or suspicious email,” Weber said.
Because many of the threats delivered by malicious actors often tie into phishing, these exercises can’t be overlooked, particularly in light of people’s inclination to overshare. “Most companies are embracing some type of annual or onboarding training, letting folks know these are the things you should watch out for if you are trying to access company resources,” Weber said.
Training in and of itself is not enough. A successful awareness program will have training in conjunction with the testing.
“Do the training to know what’s going on and the testing to keep it activated in people’s minds. Who falls for the bait?” Weber said.
“Each person in the organization should be tested monthly. It could be more frequent than that, but not to the point of annoying people. That’s measurable,” Weber said.
Because so many breaches are the result of human error, “Sometimes it’s easier to block access to it all and then grant access by request. Then anybody who requests access needs to install some type of device management software to help organizations keep track and monitor and have a little bit more control over the resources,” Weber said.
Blocking access can get tricky, though, and establishing access controls doesn’t preclude the need for ongoing and meaningful awareness training.
Dave Chronister, founder of Parameter Security, added, “Awareness training is one of the most important things you can do to protect your network. You need to have a program and it needs to be effective.” Effective means doing more than just a person talking about the things people do that are annoying. That approach is sure to quickly cause the audience’s attention to drift–perhaps even to take out their phones and start posting on social media.
Chronister said that when he hears people tell him that they perform security awareness training once a year, he knows it’s not a program that is up to par. “If it is not reinforced without movies, emails, media posters, and testing, the end users will only remember it for a couple days, then the concept will go away,” said Chronister.
One midsized company whose program really impressed him, though, held monthly company meetings. “Instead of an hour long once a year, it was a 30 to 45 [minute] company meeting. They would have 10 minutes to talk about security awareness, and at each meeting, they’d go over a current topic,” said Chronister.
Across all sectors of the industry, though, when people are permitted authorized access, there is only so much an awareness training program can prevent. “Hospitality has been hit for many years, so yes, employees need to be trained on what to look for, but controls need to be put in place,” Grunzweig said.
Enterprises are coming to understand that they can’t put all the burden on the employees because the sheer number of the attacks are vast.
Companies large and small that have had success with awareness training are doing so because they are dealing with security both as a company and alerting employees to threats that they may be dealing with in their personal lives.
Stan Black, CSO at Citrix, said that one of the challenges with security awareness is that folks need to receive some benefit beyond just knowledge. “For folks in many of the back office functions from finance to human resources, there are courses specific to certain roles. We tie them to a trend, and add components in as threats become more prevalent,” Black said. Online security is becoming increasingly problematic. Website security leader Trust Guard, for example, scans for more than 75,000 vulnerabilities used by hackers to access websites. That’s more than double the number of more security holes they originally scanned for when they started monitoring websites eight years ago.
Executive assistants are the gateway to executives, and Black said, “Put in place social engineering awareness specific to their role. The information they have is highly valuable. We marry that in with another element that connects to their personal lives.” In order to measure the success of a security awareness program, they need metrics, which requires frequent testing that is not only relevant to business but meaningful to the people working there.
Special thanks to Kacy Zurkus for her article on this topic.