Monday, 23 May 2016

Top 10 Considerations for Effective Security Awareness (Part 1)

Security, The Risk of Human Error...& a Tricky Thing Called Motivation…
Top 10 Considerations for Truly Effective Security Awareness Training

Even though 52% of breaches are attributed to human error, security awareness is still quite a new thing for many companies.  Well, not that new, there are plenty of induction packs with sections on data protection responsibilities and if you are lucky, a presentation or webinar.  However, we all know the threat environment is looming ever-larger and darker, worse still, it’s constantly changing; so how do you keep your employees not only knowledgeable about the risks presented each day at their keyboards but also motivated enough to identify them and to take action?

The reality is that every organisation and its requirements are different.  Whilst there are key elements, such as phishing campaigns, that should be included as standard to measure and educate security awareness; an effective strategy needs to tick additional boxes to create a true change in 
security behaviour.

1 Test & Benchmark
Before you commence security awareness training; find out the truth!  I’m afraid you might be shocked, most companies are.  Common click-through rates from phishing programmes we have delivered for clients have seen click-through-rates achieve up to 30+%.  When you consider that it can take less than 30 minutes for a threat to establish itself on your network, just one click could seriously jeopardise your security. 


If the result is the kind of click-through-rates a Marketing Manager would die for, you would be forgiven for thinking, ‘Well, what’s the point in testing if it’s likely the so many staff will fall for it?  I know we have a problem.’  The benefits of a phishing test are not just confined to identifying problems and benchmarking for improvement.  Utilising the results of an actual, live example which the trainees received and many of them clicked on, resonates with staff far more than giving generalised real world examples because they experienced it.  It really could happen to them.  Human behaviour is such that an individual never wants to jeopardise the tribe, nor do they want to be the fool.

2 Elements of Testing – It’s Not Just About Phishing!
There are certain key components to security awareness testing and training which should form part of a successful campaign but it is their mode of delivery that makes the difference.  Successful campaigns will involve personalising that message to your company.  This is not about just raising click-through-rates for your security company to report to you; this is exactly what the cyber criminal will do.  They know, that on the other side of the computer is a person that is ultimately motivated by self-interest.  The most effective spear-phishing campaigns carefully target their prey and learn about them.  They will create fake websites and branded emails and they will learn the name of the manager in the purchasing department that they want to send their malware-laden ‘invoice’ to.  Effective testing and training involves activating your staff’s self-interest button; coffee and gym vouchers, for example, have been popular tactics used to test employee resilience.

On a similar note, cyber criminals will exploit another human trait.  Trust. Consider the wider possibilities for breach, over-and-above email.  Digital social engineering is an obvious culprit but what about physical social engineering?  Security awareness also comes down to what information is given out over the phone but also who is allowed into the building.  How often do you check a staff badge closely, or allow someone to follow you through a secure door? 

3  Timing
Consistency is the key to security awareness.  Companies undertaking security awareness training once at induction will not succeed in raising levels of awareness and staff security. A message delivered once, and in the fog of a lot of other information, will be lost. The biggest brands know it, they repeat their message again and again until people at first recognise their message and then respond.  Involve HR & Training and Internal Communications to enable a consistent programme of messaging and to keep the profile of security awareness high within the business.  This is particularly important where there is high staff turnover and large customer support departments.  The most effective programmes review and re-visit their training programmes on a regular basis.

4  Training Methods
We have already mentioned how ‘real world’ examples drive greater awareness and engagement by using results from phishing resilience tests.  Again, depending on the structure of the company, different methods might be more effective, or quicker, with large numbers of people.  Interactive seminars and/or computer-based training are at their best when followed up by internal marketing programmes and access to further information covering topics such as how to identify phishing, or what information not to give out over the phone. Additionally, security awareness training may need to be adjusted in line with the job role, e.g. customer services or accounts as opposed to shop floor.

5 Who Holds the Keys to the Kingdom? – Why Top-Down Training is Essential

Just who does hold the keys to your kingdom? Spear-phishing is targeted.  Board Members, Senior Managers and their PAs are just as vulnerable as the sales office, in some cases, more so.  Top-down training instils a security-orientated culture benefiting not only the business but also its customers. 

Next week: check back for Considerations 6-10 !

31 comments:

  1. Thank a lot. You have done excellent job. I enjoyed your blog . Nice efforts
    Data Science Certification in Hyderabad

    ReplyDelete
  2. Wow, happy to see this awesome post. I hope this think help any newbie for their awesome work and by the way thanks for share this awesomeness, i thought this was a pretty interesting read when it comes to this topic. Thank you..
    Artificial Intelligence Course

    ReplyDelete
  3. Awesome article. I enjoyed reading your articles. this can be really a good scan for me. wanting forward to reading new articles. maintain the nice work!
    Data Science Courses in Bangalore

    ReplyDelete
  4. I am sure it will help many people. Keep up the good work. It's very compelling and I enjoyed browsing the entire blog.
    Business Analytics Course in Bangalore

    ReplyDelete
  5. I need to thank you for this very good read and i have bookmarked to check out new things from your post. Thank you very much for sharing such a useful article and will definitely saved and revisit your site.
    Data Science Course

    ReplyDelete
  6. Excellent Blog! I would like to thank you for the efforts you have made in writing this post. Gained lots of knowledge.
    Data Analytics Course

    ReplyDelete
  7. Your site is truly cool and this is an extraordinary moving article and If it's not too much trouble share more like that. Thank You..
    Digital Marketing Course in Hyderabad

    ReplyDelete
  8. I bookmarked your website because this site contains valuable information. I am very satisfied with the quality and the presentation of the articles. Thank you so much for saving great things. I am very grateful for this site.

    Data Science Training in Bangalore

    ReplyDelete
  9. I have voiced some of the posts on your website now, and I really like your blogging style. I added it to my list of favorite blogging sites and will be back soon ...

    Digital Marketing Training in Bangalore

    ReplyDelete
  10. I found Habit to be a transparent site, a social hub that is a conglomerate of buyers and sellers willing to offer digital advice online at a decent cost.

    Artificial Intelligence Training in Bangalore

    ReplyDelete
  11. The Extraordinary blog went amazed by the content that they have developed in a very descriptive manner. This type of content surely ensures the participants explore themselves. Hope you deliver the same near the future as well. Gratitude to the blogger for the efforts.

    Machine Learning Course in Bangalore

    ReplyDelete
  12. You have done excellent job Thanks a lot and I enjoyed your blog. Great Post.
    Data Science Certification in Hyderabad

    ReplyDelete
  13. Great post happy to see this. I thought this was a pretty interesting read when it comes to this topic Information. Thanks..
    Artificial Intelligence Course

    ReplyDelete
  14. Nice Post thank you very much for sharing such a useful information and will definitely saved and revisit your site and i have bookmarked to check out new things frm your post.
    Data Science Course

    ReplyDelete
  15. Thanks Your post is so cool and this is an extraordinary moving article and If it's not too much trouble share more like that.
    Digital Marketing Course in Hyderabad

    ReplyDelete
  16. You have completed certain reliable points there. I did some research on the subject and found that almost everyone will agree with your blog.

    Artificial Intelligence Training in Bangalore

    ReplyDelete
  17. It is late to find this act. At least one should be familiar with the fact that such events exist. I agree with your blog and will come back to inspect it further in the future, so keep your performance going.

    Digital Marketing Training in Bangalore

    ReplyDelete
  18. A good blog always contains new and exciting information and as I read it I felt that this blog really has all of these qualities that make a blog.

    Data Science Training in Bangalore

    ReplyDelete
  19. I am more curious to take an interest in some of them. I hope you will provide more information on these topics in your next articles.

    Machine Learning Course in Bangalore

    ReplyDelete
  20. I am really enjoying reading your well written articles. I am looking forward to reading new articles. Keep up the good work.
    Data Science Courses in Bangalore

    ReplyDelete
  21. It is a very helpful and very informative blog. I really learned a lot from it thanks for sharing.
    Data Analytics Course

    ReplyDelete
  22. This is an informative and knowledgeable article. therefore, I would like to thank you for your effort in writing this article.
    Best Digital Marketing Courses in Bangalore

    ReplyDelete

  23. Excellent effort to make this blog more wonderful and informative. The information shared was very useful.
    Cloud Computing Course Fees in Bangalore

    ReplyDelete
  24. Happy to chat on your blog, I feel like I can't wait to read more reliable posts and think we all want to thank many blog posts to share with us.

    Data Science in Bangalore

    ReplyDelete
  25. Excellent post to make this blog more wonderful, attractive and cool stuff you have. Thank You.
    Data Science Course in India with Placements

    ReplyDelete
  26. You have done a great job and will definitely dig it and personally recommend to my friends. Thank You.
    Data Science Online Training

    ReplyDelete
  27. I read your excellent blog post. It's a great job. I enjoyed reading your post for the first time, thank you.
    Data Science Institutes in Bangalore

    ReplyDelete
  28. This is really nice which is really cool blog and you have really helped a lot of people who visit the blog and give them useful information.
    Data Science Training in Noida

    ReplyDelete
  29. I was looking for some decent stuff on the subject and have had no luck so far. You just had a new big fan! ...

    Data Scientist Training in Bangalore

    ReplyDelete
  30. I think this is an informative and very useful and knowledgeable blog. therefore, I would like to thank you for your effort.
    Data Science Course in Jaipur

    ReplyDelete