Security, The Risk of
Human Error...& a Tricky Thing Called Motivation…
Top 10 Considerations
for Truly Effective Security Awareness Training
Even though 52% of breaches are attributed to human error,
security awareness is still quite a new thing for many companies. Well, not that new, there are plenty of
induction packs with sections on data protection responsibilities and if you
are lucky, a presentation or webinar.
However, we all know the threat environment is looming ever-larger and
darker, worse still, it’s constantly changing; so how do you keep your
employees not only knowledgeable about the risks presented each day at their
keyboards but also motivated enough to identify them and to take action?
The reality is that every organisation and its requirements
are different. Whilst there are key
elements, such as phishing campaigns, that should be included as standard to measure
and educate security awareness; an effective strategy needs to tick additional
boxes to create a true change in
security behaviour.
1 Test &
Benchmark
Before you commence security awareness training; find out the truth! I’m afraid you might be shocked, most
companies are. Common click-through
rates from phishing programmes we have delivered for clients have seen
click-through-rates achieve up to 30+%.
When you consider that it can take less than 30 minutes for a threat to
establish itself on your network, just one click could seriously jeopardise
your security.
If the result is the kind of click-through-rates a Marketing
Manager would die for, you would be forgiven for thinking, ‘Well, what’s the
point in testing if it’s likely the so many staff will fall for it? I know we have a problem.’ The benefits of a phishing test are not just
confined to identifying problems and benchmarking for improvement. Utilising the results of an actual, live
example which the trainees received and many of them clicked on, resonates with
staff far more than giving generalised real world examples because they
experienced it. It really could happen
to them. Human behaviour is such that an
individual never wants to jeopardise the tribe, nor do they want to be the
fool.
2 Elements of Testing
– It’s Not Just About Phishing!
There are certain key components to security awareness
testing and training which should form part of a successful campaign but it is
their mode of delivery that makes the difference. Successful campaigns will involve
personalising that message to your company.
This is not about just raising click-through-rates for your security
company to report to you; this is exactly what the cyber criminal will do. They know, that on the other side of the
computer is a person that is ultimately motivated by self-interest. The most effective spear-phishing campaigns
carefully target their prey and learn about them. They will create fake websites and branded
emails and they will learn the name of the manager in the purchasing department
that they want to send their malware-laden ‘invoice’ to. Effective testing and training involves
activating your staff’s self-interest button; coffee and gym vouchers, for
example, have been popular tactics used to test employee resilience.
On a similar note, cyber criminals will exploit another
human trait. Trust. Consider the wider
possibilities for breach, over-and-above email.
Digital social engineering is an obvious culprit but what about physical
social engineering? Security awareness
also comes down to what information is given out over the phone but also who is
allowed into the building. How often do
you check a staff badge closely, or allow someone to follow you through a
secure door?
3 Timing
Consistency is the key to security awareness. Companies undertaking security awareness
training once at induction will not succeed in raising levels of awareness and
staff security. A message delivered once, and in the fog of a lot of other
information, will be lost. The biggest brands know it, they repeat their
message again and again until people at first recognise their message and then
respond. Involve HR & Training and
Internal Communications to enable a consistent programme of messaging and to
keep the profile of security awareness high within the business. This is particularly important where there is
high staff turnover and large customer support departments. The most effective programmes review and re-visit
their training programmes on a regular basis.
4 Training Methods
We have already mentioned how ‘real world’ examples drive
greater awareness and engagement by using results from phishing resilience tests. Again, depending on the structure of the
company, different methods might be more effective, or quicker, with large
numbers of people. Interactive seminars
and/or computer-based training are at their best when followed up by internal
marketing programmes and access to further information covering topics such as
how to identify phishing, or what information not to give out over the phone. Additionally,
security awareness training may need to be adjusted in line with the job role,
e.g. customer services or accounts as opposed to shop floor.
5 Who Holds the Keys
to the Kingdom? – Why Top-Down Training is Essential
Just who does hold the keys to your kingdom? Spear-phishing
is targeted. Board Members, Senior
Managers and their PAs are just as vulnerable as the sales office, in some
cases, more so. Top-down training
instils a security-orientated culture benefiting not only the business but also
its customers.
Next week: check back for Considerations 6-10 !
This is an informative and knowledgeable article. therefore, I would like to thank you for your effort in writing this article.
ReplyDeleteBest Digital Marketing Courses in Bangalore
I was looking for some decent stuff on the subject and have had no luck so far. You just had a new big fan! ...
ReplyDeleteData Scientist Training in Bangalore
I finally found a great article here. Quality postings are essential to get visitors to visit the website, that's what this website offers.
ReplyDeleteData Science Training in Jabalpur
360DigiTMG, the top-rated organisation among the most prestigious industries around the world, is an educational destination for those looking to pursue their dreams around the globe. The company is changing careers of many people through constant improvement, 360DigiTMG provides an outstanding learning experience and distinguishes itself from the pack. 360DigiTMG is a prominent global presence by offering world-class training. Its main office is in India and subsidiaries across Malaysia, USA, East Asia, Australia, Uk, Netherlands, and the Middle East.
ReplyDeleteHello. I found your blog using msn. This is a very well written article. I'll be sure to bookmark it and come back for more useful information. Thanks for the post. I will definitely be back.
ReplyDeleteData Science Training in Bangalore
It was really awesome and I gain more information from your post. Thank you!
ReplyDeleteVirginia Online Divorce