October 17, 2019
By Kris Martel, CISM, CGEIT, CRISC, CISSP, C|EH, Chief Information Security Officer at Emagine IT
Most enterprises and leaders know cybersecurity awareness training is important, but in practice it is typically treated as a check-the-box exercise in meeting compliance with regulations and mandates. This renders a very important activity as only marginally effective in its outcomes.
And let’s be honest—how truly effective is most cybersecurity awareness training? A typical requirement for annual mandatory training for everybody in the organization looks good on paper, but what is the actual effect? Does awareness improve? Does that then lead to improved cybersecurity? For example, when the Department of Defense does its annual security awareness training, most of the trainees likely have half of the answers memorized for the mandatory computer-based assessment. In fact, many people let the videos play while they do other work and then simply re-engage the training video when it is time to answer questions and advance to the next section.
So, offering training when an employee is hired, and then refresher courses once a year, is unlikely to equip that employee with the knowledge and understanding needed to avoid falling prey to cybercriminal attacks. Moreover, cybercriminals themselves are very familiar with the various required security awareness training modules, giving them a blueprint of what “not” to do. Since cybercriminals are always looking for new ways to infiltrate and attack organizations, enterprises should think like the enemy and create cybersecurity awareness training programs that resemble the true threat—what the real cybercriminals will do.
Take a look at rebranding everything from the marketing of the cybersecurity awareness program to the actual training itself. Then constantly update and customize the program to the target audience. Cybercriminals are always changing their attack methods, so cybersecurity awareness training needs to change and adapt as quickly. This means ongoing training based on the latest ever-evolving trends and attack vectors. The most important key performance indicator of a successful cybersecurity awareness program is its effectiveness. To increase effectiveness, the training must be relevant and retain the attention of participants.
What better way to engage your employees than to include them as part of the actual training program and its activities? Make the training interactive and personal. Show them how a hacker will attempt to steal their identity, include them in a phishing campaign and entice them with [fake] confidential information through trojans or malicious software. Ultimately, consumers of cybersecurity awareness training want to learn how it is applicable. They want to know how to lock down privacy on Facebook and other social media applications, or how their Home Depot credit card information is easily obtained, or what personally identifiable information (PII) of theirs is circulating the dark web.
A majority of trainees find hacking fascinating, and they want to learn more about it and how it could impact them. Utilize their curiosity as a training mechanism. Branding your cyber awareness training as a monthly opportunity to hack your coworker and then showing them how the cyber criminals are “hacking” the user will increase awareness and strengthen cybersecurity practices.
Editor’s Note: Kris Martel will be presenting more on hacking your coworker to improve cybersecurity awareness at the Infosecurity ISACA North America Expo and Conference, to take place 20-21 November 2019 in New York City, offering specific examples and results of the hacking your coworker training across several organizations.