best practices for employee security awareness trainingBest Practices for Employee Security Awareness Training

The proven best practices for New School Security Awareness Training are designed to add a layer on top of existing firewalls. The goal is to establish an eff­ective human firewall of informed, educated and phish-savvy employees. According to Lance Spitzer, Training Director at the SANS Institute, “One of the most e­ffective ways you can minimize the phishing threat is through awareness and training. You create a network of human sensors that are more e­ffective at detecting phishing than almost any technology.”

Best Practices for Employee Security Awareness Training #1:
Comprehensive Programs Work

Most security awareness programs are superficial at best. They may include some sensible actions, but they don’t dovetail into a coordinated and comprehensive program. What is missing is an appreciation of the adversary being faced and the degree of commitment an organization has to have to stave o­ attacks. It is vital that the C-suite comes to terms with the extent of the threat and the sheer weight of resources the enemy is bringing to bear against naive employees. Only by doing so is it possible for C-level executives to comprehend the measures that must be taken to secure the enterprise and the vital necessity of erecting a human firewall of informed and ever-vigilant users. The crux of this best practice is having an awareness of the scale of the problem and the resources necessary to defend against it.

Best Practices for Employee Security Awareness Training #2:
Develop a Coordinated Campaign that Combines Training and Phishing Simulation

Training on its own, typically once a year, isn’t enough. Simulated phishing of personnel on its own doesn’t work. But together, they can be combined to greatly increase eff­ectiveness. An important best practice is to intelligently integrate these components into an overall campaign. This is best accomplished by finding a platform that integrates simulated phishing and security awareness training.

Best Practices for Employee Security Awareness Training #3:
Baseline Phishing Susceptibility

Security awareness training can be undermined due to difficulty in measuring its impact. How exactly are you supposed to prove that it obtains results? All it takes is one fresh outbreak and someone in authority can point to the event as evidence that such training dollars would be better spent elsewhere. This is where the baseline comes into play. It is vital to establish a baseline on phishing click-through rates so you know the percentage of users who open malicious emails prior to awareness training campaign commencement. This is easily accomplished. Send out a simulated phishing email to a random sample of personnel to find out the number that are tricked into opening an attachment, click on a link or enter sensitive information. This is your baseline phish-prone percentage. This metric can be later used to determine how e­ffective the campaign is. Further, it provides specific numbers that can prove useful during the purchase order approval process.

Best Practices for Employee Security Awareness Training #4:
Gain Executive and IT Buy In

To be eff­ective, top executives and IT managers must be onboard. Thus extensive briefings before and during a training program is a must. Briefings are needed in advance to accomplish finance approval, but it should never end there. Prior to beginning a phishing simulation project, communicate to executives and iron out all political or sensitivity issues in advance.

This should include HR, Legal and union representatives where applicable. Otherwise, such campaigns may be unjustly accused of targeting specific employees, undermining morale or discriminating against certain groups. Only by keeping all interested parties involved, listening to their concerns and addressing their needs can the campaign hope to succeed. In some organizations, there may be pressure to inform employees that a simulated phishing campaign is about to be launched. In those cases, where staff­ are forewarned, the e­ffectiveness of the campaign is significantly reduced.

Another aspect of this best practice is to inform executives about baseline phishing numbers so they are more aware of the extent of the problem and the uphill task facing the organization. Return to this baseline again and again as a means of monitoring results. Showcase all drops in phishing e­ffectiveness as a way to demonstrate the value of the program.

Best Practices for Employee Security Awareness Training #5:
Conduct Random-Random Phishing Attacks

Earlier, we mentioned prairie dogging where an employee notices a simulated phishing email and warns the others in the office about it. This phenomenon can even bring about an apparent drop in phishing susceptibility in tests that doesn’t translate into the real world. Employees get used to the simulated actions of the campaign, learn to watch out for them every Monday morning and thereafter continue as normal. What you end up with is a simulated phishing initiative that has little or no impact on employee gullibility.

This is particularly important when you consider the findings from a study by Proofpoint. It found that no company had a zero click rate from phishing attacks. While repeat clickers account for the majority of clicks on malicious links, 40% of clicks are typically one-o­ clickers. In other words, even the best and the brightest can be caught unawares and will click on something malicious from time to time. Prairie dogging might allow these rare but occasional phishing victims to develop complacency.

The way to guard against this is to use what are termed random-random simulated phishing attacks. This New School Security Awareness Training practice entails the selection of random groups, random schedules, and random phishing templates to gain a more accurate estimate of an organization’s likelihood to fall victim to phishing. Instead of sending out the same phishing emails every Monday morning to accounting, every Tuesday at lunch to sales and every Friday evening to manufacturing, switch the tactics and schedules around by varying the groups and schedules randomly. This eliminates prairie dogging and provides the organization with a real metric they can use to determine e­ffectiveness.

Best Practices for Employee Security Awareness Training #6:
Personalize Emails

Personalized emails are more believable. In some cases, this can be as simple as adding the employee’s first name. But in large organizations, personalization must be taken further. For example, obtain from payroll the names of the banks used by employees for direct deposit and use that bank name in a phishing campaign. Another tactic is to split phishing email into groups such as by departments, or to tie phishing emails into topical or popular events.

Best Practices for Employee Security Awareness Training #7:
Don’t Expect Miracles

The results from New School Security Awareness Training are excellent. But they fall short of the miraculous. By that, we mean phishing victimization rates generally fall from the 10-25% range to about 2%. It appears that getting below that point is extremely difficult. But continuation of the campaign can keep results at or below that level, which will have a significant impact on the organization. With malware infections caused by phishing minimized, IT finds itself able to contain remaining outbreaks more eff­ectively as there are far less of them.

Due to the dramatic drop in infections, other security measures have a greater chance of success. IT finds itself moving from constant troubleshooting mode to being able to move forward with projects that provide greater strategic value to the organization.

Best Practices for Employee Security Awareness Training #8:
Avoid Witch Hunts

A common concern about simulated phishing is that the results could be used in witch hunts. Therefore, don’t ever use results in this way or bring them up in annual reviews. It is best to keep results general and use them to correct and train the organization as a whole as opposed to singling out specific individuals.

The exception to this comes once the coordinated campaign of training and phishing simulation has brought about marked results. After a prolonged series of simulations and training steps, and once the numbers have bottomed out, companies are likely to find the same small group of repeat o­ffenders. Proofpoint noted that less than 10% of users are responsible for almost all clicks on any given wave of malicious attacks. While New School Security Awareness Training can push that number down far lower, there will remain a handful of individuals who continue to click despite being given every opportunity to reform.

By this point, they will have attended several training classes, and received a thorough education on how phishing can fool them. Yet they go on being fooled no matter what remedial steps are taken. Now is the time to involve HR to take up findings with repeat off­enders who show no improvement despite several attempts at retraining. To take any possible negative connotation away from ‘flunking’ simulated phishing tests, it sometimes works to incentivize departments to encourage their staff­ to complete training or retraining in an e­ffort to achieve a 0% click rate. Those doing so, or scoring below a particular level can be awarded with gift cards or other inducements.

Best Practices for Employee Security Awareness Training #9:
Continue to Test Employees Regularly

Even when testing confirms that phishing susceptibility has fallen to nominal levels, continue to test employees frequently to determine if anti-phishing training remains eff­ective. The bad guys are always changing the rules, adjusting their tactics and upgrading their technologies. Therefore, training reinforcement must remain a part of the organizational security arsenal in order to keep pace with constantly evolving threats.

Best Practices for Employee Security Awareness Training #10:
Provide Thorough Security Training

Old school security training favored a lecture or video approach. The problem with this type of training is that it can rapidly become outdated – the security landscape of one year ago is very diff­erent from that of today. It also focuses too much on theory and isn’t balanced by practical application. New School Security Awareness Training is interactive, balances theory and application, is continually updated, and is based upon thorough insight of how cybercriminals operate. Ideally, it will incorporate the services of an expert hacker who knows all the ways of entering an organization and all the tricks of the phishing trade. It should make sure employees understand the mechanisms of spam, phishing, spear-phishing, malware, ransomware and social engineering, and are able to apply this knowledge in their day-to-day jobs.