“To ensure Security Awareness Training really has an impact, and subsequently the effectiveness of the organization’s security, businesses need to be reinforcing the training by empowering their employees to make decisions without the baton being automatically passed onto the overwhelmed security teams,”
Lior Kohavi, Chief Strategy Officer, Cyren Tells ITDigest.
What are best practices for approaching awareness training? How frequently should an organization conduct Security Awareness Training (SAT)?
Lior Kohavi: Security Awareness Training (SAT) on the whole is a great best practice to have within all organizations and can serve to increase awareness of the threats posed to businesses through channels such as email, especially with phishing attacks remaining so prevalent. Training should be an ongoing activity, yet in reality it is conducted 2-3 times a year to meet regulatory requirements. However, this approach to SAT is not enough to make a real impact. This means that it doesn’t necessarily matter how often the training is conducted if, in reality, it isn’t working in the long term.
Typically, after conducting phishing-based SAT, for example, employees will report even more suspicious emails than before, often resulting in an increase in false-positives for the security teams to wade through. While this places an immediate pressure on the security team, over time the learnings from the training will fade from the employees minds as they focus on their core job responsibilities, which is where rogue phishing emails can then slip through the net. This is why SAT in isolation is not sufficient and it needs to be woven into the day-to-day activities of the team, without it being considered a burden.
What criteria should be used to assess security awareness? Are there any regulatory specifications for appropriate training and user awareness of security problems?
Lior Kohavi: The balance between need for training versus practicality is important to consider. SAT is largely driven by regulatory requirements, it’s an obligation and viewed as a tick box activity that will help the organization achieve the rubber stamp of approval that they require in order to say they are compliant with specific mandates. And then that is likely to be it for the next 12 months until it is audit time again. This approach is not driving a practical attitude to security, which is often why businesses can still fall foul of security threats even when they have met all of the certifications.
Security is so much more than just having a certain suite of products on a checklist provided by a regulatory body. It is about utilizing those resources effectively and engaging every employee within the business to build up those defenses from the inside. There needs to be a change in mindset so that security is not seen as a tick box activity but is given the strategic focus that is truly required to make a business secure.
Can organizations get employees to engage more by utilizing a crowd sourced approach to SAT? Is it a more effective than the typical artificial phishing emails that employees are exposed to during SAT sessions?
Lior Kohavi: Unfortunately Security Awareness Training has a reputation for being one of those terms that makes all employees groan out loud as it usually means the ominous prospect of another long training session where they’ll be dictated to as to what good and bad security looks like. This is neither engaging or inspiring and places all of the onus on the employees.
To ensure SAT really has an impact, and subsequently the effectiveness of the organization’s security, businesses need to be reinforcing the training by empowering their employees to make decisions without the baton being automatically passed onto the overwhelmed security teams. This is why the crowd-sourced user detection approach is the way forward as it makes the employees part of the solution.
For example, it is now possible to give the employees themselves the tools to get visibility to phishing indicators, within the email payload, that will encourage them to scan any suspicious emails they see at the push of a button via an email extension. They will then clearly see within seconds if the email is a threat or not and, if so, this intelligence can then be pushed through to the rest of the network to improve the business’ overall threat detection capabilities.
Unlike being trained on artificial phishing emails, this approach will help train them on a continuous basis to identify potential risky emails, increase productivity and reduces the risk of them seeing reporting an email to the security team as a burden and skipping the step all together, which could result in a potentially devastating incident.
Many information security leaders have trouble getting buy-in for security awareness programs. What advice would you give to someone trying to conquer this obstacle?
Lior Kohavi: It is important that the business leads, and trains, by example. While the board or C-Suite may sign-off on SAT for the regulatory benefits, it is important to get across the further reaching positive effects Security Awareness Training can have on the business. This includes increasing overall employee productivity, reducing the number of false alerts that the security team have to manage, which means their time gets freed up to focus on more strategic activities instead of being weighed down by low-level tasks, and not to mention reducing the risk of a security breach from occurring to start with.
How can organizations engage executive teams in security awareness training program development, and also encourage their participation in the training?
Lior Kohavi: Again, this will come down to leading by example and, crucially, positioning SAT not as a burden that is being enforced upon them but as something that they are actively contributing too. Security is not within everyone’s job description, and therefore many won’t see it as being their responsibility. After all, isn’t that why the executive team look to hire expert security teams and buy all the latest products on the market? So, they don’t have to deal with it. Combine this with the fact that historically SAT has always positioned employees as being the problem, which led to organizations inadvertently creating a level of fear in employees, resulting in either a lack of engagement or leading the employees reporting every email that they receive as being a threat, and it is no surprise that SAT hasn’t always resonated.
Instead, there needs to be a culture of collaboration, communication and support fostered within the organization. It is up to the business leaders to provide employees with help when they need it and to be seen to be driving a proactive approach to mitigating the risks posed by phishing emails.
Ultimately, you cannot force anyone to engage in Security Awareness Training, instead it is about changing the mindset within the organization and across all job roles and departments so that all employees see themselves as playing an important role in the process and keeping the business secure.
How targeted should training be (in terms of employee level, position, and so on)? Can targeting training improve effectiveness?
Lior Kohavi: The hackers may be increasing their skill levels in producing highly targeted phishing and Business Email Compromise (BEC) emails, but so too are organizations in combatting these threats. By adopting the crowd-sourced approach to SAT, where the employee at any level can quickly at the press of a button establish whether an email is legitimate or not, it means that different types of SAT programs don’t need to be developed depending on the job role.
It also benefits the business by ensuring that if a phishing email is correctly identified, this information is then shared across the business and the appropriate remediation measures automatically implemented, relieving the pressure on the security team. This ongoing approach to security training is proven to have greater success and is a more proactive and practical approach to keeping organizations secure from the threats posed from malicious emails.