[BreachExchange] 10 Security Awareness Training Mistakes to Avoid

[Destry Winant]

https://www.darkreading.com/edge/theedge/10-security-awareness-training-mistakes-to-avoid/b/d-id/1340915

Done well, effective security awareness training enhances your employees'
knowledge of attack vectors and common risks they face daily, all of which
can improve your organization's overall defense posture. But awareness
training done poorly? That's another story.

While it might check the compliance box, training sessions that lack
creativity have the potential to make everyone all the more complacent.

So what exactly does poor security awareness training look like? Let this
list of 10 ways security managers can mess it up serve as your guide for
what not to do.

Don't Recycle Old Material

If you want users to be interested in what you're trying to teach them,
don't expect them to sit through the same material multiple times.

"It's actually pretty easy to identify what you shouldn't do for this
year's security awareness training: Look at last year's materials," says
Jacob Ansari, chief information security officer (CISO) of Schellman & Co.,
an independent security and privacy compliance assessor. "If you're
recycling the same slides, and the same presentation, and the same quiz,
your employees will notice and identify that no one prioritized making this
interesting."

Baan Alsinawi, president and founder of TalaTek, an integrated risk
management firm, agrees.

"It is easy to fall into the pattern of providing the same training
materials and offering employees a class once or twice a year to check the
box," he says. "Security training should be based on current information."


Don't Make It Looooooong

Most employees are expected to set time aside from daily responsibilities
to complete their awareness training, so respect their time and make it
short and interesting.

"Some trainings are too long and cause the audience to check out, while
others are simply boring and fail to pull the audience in with compelling
stories, dialogue, or gamification," says Corey Nachreiner, CTO of
WatchGuard Technologies.

Andy Ellis, operating partner with YL Ventures, suggests putting in place
ways to ensure training attendees "watch every second of video before
taking the test you've helpfully included to make sure they paid attention.
Some computer-based training apps will do this by automatically pausing the
video if the user clicks elsewhere.Your users will never just pull out
their phone and scroll through Instagram while waiting for the video to end
[again], will they?"


Don't Give Everyone the Same Training

Employees perform different tasks and face different threats. So why are
you training them all on the same types of risks?

"A common mistake is assignment of the same security awareness training to
everyone within the organization," says Adam Kohnke, an information
security manager at the Infosec Institute. "Matching training to employee
roles and motivations, while time-consuming, is one of the most important
steps in any awareness training program."

It's also crucial that advice matches reality.

"Telling a salesperson not to open emails from people they don't know is
not reasonable and undermines the program by providing irrelevant
training," says Mike Gruen, Cybrary CISO & VP of engineering. "Instead,
training should focus more on spotting suspicious situations, how to report
when something is odd, and what they should do if they think they made a
mistake."


Don't Forget to Follow Up

So what did employees think of the training? If you don't ask, you're
missing an important part of awareness.

"Not getting feedback is a big 'don't' for security awareness training,"
says Nick Santora CEO of Curricula, a security awareness training firm.
"You need to get buy-in from your employees and feedback from them on what
they're learning and what they're missing because that will shine the light
on potential vulnerabilities leading to a breach."

You should also be regularly engaging with employees about how they feel
about reporting incidents.

"In every training, you tell users to whom they should report incidents,"
YL Ventures' Ellis says. "That part of your security team is probably the
lowest-paid part; they might respond with a form letter that includes
suggestions on being more aware. And then, of course, nothing further
happens. The user who reported it learns that a few hours after the report,
a fellow user did fall for the same social engineering attack and wonders
why they'd bothered reporting it, since apparently it didn't help."


Don't Train Only Once a Year

One annual training is probably not enough to see any real improvement in
awareness, says Sai Venkataraman, CEO of SecurityAdvisor.

"Irregular security awareness trainings offer no measurable ROI outside of
fulfilling a compliance mandate," he says. "Employees' ability to identify
and remediate cyber threats diminishes over time, so organizations who
conduct trainings only once a year will rarely see positive user behavior
changes."


Don't Shame Users Who Make Mistakes

Training should always be an experience that helps employees learn without
feeling bad. And if mistakes are made after training, use them as an
opportunity to help workers understand.

"It's human nature to make mistakes," says Tim Sadler, CEO and co-founder
of Tessian. "Don't shame employees for making and reporting mistakes.
Companies should create a security culture that encourages employees to
report their mistakes to IT. Otherwise these mistakes will continue
happening – but without visibility into how or why they're happening."

Victim-shaming is not a valid training tactic, Cybrary's Gruen adds.

"These attacks are getting more clever all the time," he says. "They change
tactics regularly. Anyone is susceptible, so blaming victims just makes
people less likely to come forward when something bad may have happened."


Don't Forget the Why

Why are we doing this training? Employees should not only understand the
attack vectors they face, but why security is so essential to a business.

"Many organizations fail to communicate clear goals and objectives," says
Kurt Risley, head of appsec education at Checkmarx. "If employees cannot
fully grasp why security is important, what appropriate security posture
looks like, and how the success of the security solution can be measured,
they are less likely to gain anything meaningful from a training program."

Adds Mary Galligan, Deloitte's US cyber crisis management leader:
"Employees need to be educated on the threats so that they understand the
threat of clicking on links, visiting websites or engaging with removable
media."

Don't Overlook End User Empowerment

End users are much more than just a security liability. Let them know how
important they are in defending the company from attacks and breaches.

"Don't view employees solely as your organization's biggest cybersecurity
risk. They can also be the best defense against some threats," says
Deloitte's Galligan. "Creating and fostering a cyber-aware organizational
culture in which everyone feels responsible for cybersecurity can really
improve cyber-risk management efforts."

Sometimes what speaks to a person about staying safe online in their
private lives translates to their work lives as well.

"Some of the most productive training I have led is around arming folks to
protect themselves and their loved ones online – then reminding them they
need to apply that as work as well," says Steve Winterfeld, advisory CISO
at Akamai.


Don't Dismiss the Value of Buy-In

Focus on getting everyone – from employees to company executives – to
believe in your efforts. If everyone isn't convinced of the importance of
awareness, few people are going to support your mission.

"Don't talk facts, figures, and numbers to your CEO or CFO; tell your
fellow execs how it would impact your organization specifically if an
incident would happen," Curricula's Santora says. "Tell them about the
investment using a story. This concept can also be utilized by infosec pros
to get buy-in from their employees."

End user buy-in is huge, he adds. "If your employees hate the training,
then they're not actually going to learn what to look for in a phishing
email," he says.


Don't Create a Culture of Apathy

Recycling old material and using a long, boring, annual training course
without proper feedback and follow up sends one message: We are apathetic
about security in this organization.

"The path to getting your users away from apathy and toward engaged
awareness is demonstrating that you value their time," says YL Ventures'
Ellis. "Separate compliance training out into a minimalist approach, and
provide meaningful, targeted training to support teams where they need
help. Make rapid response a hallmark of reporting incidents to encourage
teams to share."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210519/f181c567/attachment.html>