Cybersecurity Awareness Training: Simple Solutions to Complex Problems
August 19, 2015
Cybersecurity is certainly topical given the number of compromises being reported in the press. As cybersecurity professionals, it can be perplexing to see organizations that focus their efforts on investments in the technology space, while often ignoring and undervaluing the investment in their own people. Many firms offer security awareness training in the form of a quick PowerPoint presentation followed by a confirmation to human resources that it has been viewed and therefore the team is “certified”.
It is human nature to assume that the negative outcomes of a breach will not happen to our organization. The reality seems to be that it is not a matter of if, but when an event could occur. When they do occur, cybersecurity breaches are catastrophic events, often attributable to weak technology and organizational controls. No matter how we try to rationalize the current state of affairs in the information technology industry, one thing remains clear: people are and will continue to be the weakest link in the cybersecurity chain, for the simple reason that we are not a precision programmable device. Our reactions from one event to the next are governed by a number of factors including our emotional and physical states. Organizations are attempting to compensate for this inherent uncertainty by leveraging advanced technology at the end-point to mitigate some of the risks. In all fairness, the number of possible scenarios that an attacker can utilize to compromise a human being is limitless.
This article is not written intending to detail the various exploits available to a malicious actor from a social engineering aspect. The fact is, it is alarmingly simple, even in some security minded organizations, to tail-gate your way into an office area, find an unlocked and unattended PC, plug a widget into a USB port and obtain credentials.
The key takeaway from this article is that cybersecurity awareness training for people in organizations (this includes internal employees, as well as external vendors and partners) is important and in many cases required by compliance programs. The actual training should not be developed only to satisfy a “check box” requirement. Security awareness training should be scoped and managed as a sub-program under the overall cybersecurity program. The program should utilize both static and active scenario learning, and should embrace emerging technologies & services to increase engagement, which includes the use of gamification techniques.
Standard cyber awareness training incorporates the actual course itself, followed by a testing phase to confirm the understanding of those that received the training. It also includes a logging capability to track those that have taken the course and monitors their comprehension of the content. On an annual basis, some programs take the stance of “rinse and repeat”, with very little change in the actual information (meaning test questions become nothing more than an opportunity for the employee to fast-forward and skip to the end). From a compliance perspective, this methodology may deliver the required result of a solid checkmark in the appropriate box, however, it does nothing for the security posture of the organization.
In order to increase effectiveness of cybersecurity awareness, utilizing a gamification (or a hands-on scenario based) technique, followed by a short test, helps to ensure that knowledge remains with the employee for longer than the time it took to review a PowerPoint slide. Gamification activities such as “capture the flag” can engage employees especially if recognition or awards are involved.
Other real-life scenarios that can be integrated include social engineering phone calls, tail-gaiting exercises to gain access to office areas, followed by credential theft when an employee forgets to lock their workstations. Some social engineering scenarios could include providing employees “bait” in the form of e-mail coupons that record a log of the activity once an attempt to claim them is made. Another scenario is “Free” rogue Wi-Fi that redirects DNS queries to certain pages and captures credentials. There are many such scenarios and ideas that can be implemented to build a truly engaging security awareness campaign. In order to add value to the organization’s overall security posture, the campaign should be executed on a regular basis.
Throughout each cybersecurity campaign, it is important that employees understand the reasons for the various activities. The campaign should serve as a reminder that every single employee is important to the organization’s security, and provide examples of how each team member can extend their security practices in their office or home environment.
Awareness training and employee engagement in cyber awareness training programs is a complex topic, and must be an on-going initiative that goes beyond a compliance requirement. It is critical that appropriate resources are allocated to such initiatives.
Herjavec Group has executed and advised on security awareness training programs for organizations of all sizes and we would be pleased to partner with your organization to support your overall security program or individual security needs. Engage a security specialist today to learn more.