Every year, billions are being spent globally on security awareness training. Yet, close to 60% of all the breaches we see are directly related to an employee taking an insecure action that leads to that breach. (ie. Clicking a link, giving out credentials, allowing 2FA Bypass) One report said that in the next two years companies will be spending $10 Billion (yes with a B) on security awareness training per year globally.
I am not sure about you, but if I am spending $10 on something I want it to be effective, let alone $10 billon! This is yet another area where spending more does not mean we are seeing the results we want.
The other day I started to think about this problem, and I came up with a small list of reasons why I have seen security awareness training just be ineffective and even a waste of time and money.
- It’s just too vague
- It’s inconvenient
- It’s boring and unrealistic
Let’s go through each one together.
It’s Just Too Vague
How many of you by a show of hands have seen one of these phrases in your security awareness training
- Don’t click on bad links
- Don’t interact with dangerous emails
- Don’t answer suspicious questions on the phone
- Report all suspicious activity
You get the gist. Ok you can put your hands down, I get it, you have seen them all. Maybe some of you are even asking, yah, so what?
Tell me in one sentence, how do I tell Nancy from HR what a bad link is? How can I describe to Julio from accounting what a dangerous email looks like? How can I tell Ruth from the call center what a suspicious call sounds like? And how do I tell Ryan from the C-level what “all suspicious activity” looks like? You can’t, and that is the problem when your training is vague.
It’s Inconvenient
One of my star employees is in the hospital right now. It is a pretty serious matter, and she needed some urgent care. After surgery she was in recovery, and she called me to tell me this story. Her nurse came in to change an IV and take care of her. She rolled the laptop up to look at her charts and started to ask my employee how she felt. When all of a sudden on the screen came up her “Mandatory Security Training”.
WOW – are you kidding? While she was in the room caring for a patient, not during down time or office time, her mandatory training came up. What did this nurse do? She moved the timer to the end, clicked “next” “next” “next” “submit,” and BAM! “Thank you for completing your security training.”
Not only did this hospital force training at literally the worst time on earth, but then they allowed the nurse to bypass without any effort. Not only was this training inconvenient, but it was just plain lazily instituted.
You might be thinking, “Well there will never be a convenient time to roll out training!” Sure, there is never the perfect time. But should it be rolled out 30 mins before the weekend break? How about during patient care? Or when the customer pulls up to your teller window? Or when you have a manufacturing deadline due right before a holiday break? A little critical thinking can help alleviate this problem.
It’s Boring and Unrealistic
Ok, granted – security awareness training is not a blockbuster movie or hit TV show. And yes, you are never going to please everyone. But I have witnessed security awareness training that almost makes fun of the attacks your people are experiencing. I have seen training that uses scenarios that are not relatable to the team or your business. I have seen training that is so outdated the technology in the video doesn’t even exist today. And yes, I have seen training that doesn’t even use the industry standard terms because someone in the company doesn’t “like them”.
When my kids were young, I read this psychology book on parenting, and it made a point that stuck with me to this day. Using funny, code words with my kids for blankets, milk, food, the bathroom, etc. may seem cute when they are small. Then one day they go to school and ask the teacher, “I drank too much moomoo sitting on my beebeeba and now I have to go tinkleytink in the poopa.” Let’s bring that same lesson to our companies. Imagine that you don’t like the word “vishing,” which is the word found in the oxford dictionary for phone phishing. So, you want to call it “Telephone Attacker Phishing.” Now, your people go on the internet to look up information about this, what will they find? Not much.
Basing your training on realistic attacks and correct terminology while also keeping it short and sweet will make the maximum effective change.
Okay, so you are reading this and saying, “well great, this is basically my whole set up, now what?” Here are a few things you can do to fix the problem or at least start heading in the right direction.
There Is Hope
You can’t just do the opposite of everything above and find success. You can’t tell Nancy, or Julio or Ruth to start doing look ups and domain scans. Making it too complicated, too hardcore, or too accommodating, won’t help you or your people remain secure. Think about how you can implement these ideas:
- Define what a malicious email looks like. How can your people determine if an email is “phishy” enough to report it?
- What methods of verification have you given your people so they can determine if a phone call is suspicious?
- Have you made reporting of all suspicious activity easy or is it time consuming and arduous?
- Can you include some of the real-world phishing or vishing attacks your people are getting into your training?
- Combine human-to-human attacks in your training to help your people know what it feels like but in a safe environment.
- Can you do periodic reminders throughout the year as opposed to one blast of lots of training once per year?
- Mix up the delivery methods of your training. Some CBT, some lunch-and-learn, some live speeches, etc.
- Think of ways to reward positive actions and train negative ones while not using shame, guilt or fear as motivators.
This is not an exhaustive list, but one that I hope will spark some conversation and discussion to help you improve your security awareness.
Help to Improve Your Security Awareness
Here at Social-Engineer, LLC we only use fully trained and certified humans (yep, no robo dialers, silly templates, or canned scripts) to conduct all our real-world training. We work with each client to ensure that we are using scenarios that will hit home and affect your people the right way. We ensure the messaging is clear about reporting. And most of all, we follow the motto, “Leave them feeling better for having met you.” This is implemented by looking for ways to reward those who take the right action and training those who do not.
To see the effect of how this type of model works, reach out and talk to us. Or download one of our case studies that outlines some of the amazing success we have had in these programs with our clients.
Till next time, stay safe.
Chris Hadnagy
Image:
Photo by Magnet.me on Unsplash