How would you approach improving the security education training and awareness in an organization you know well (e.g. Temple as a student) but you will not name in your answer post and comments?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Andrew Nguyen says
To improve the security education training and awareness in an organization that I know well, I would do the following :
• Consistent schedule of security education training and awareness
• Variety of formats (role-playing / simulation exercises, webinars, classroom format teachings, readings, etc.)
• Relatively shorter meeting times (employees tend to pay less attention during longer trainings/meetings)
• Phishing email exercises sent to employees
• Positive reinforcement
• Specific definitions for the terms used in the security education training (definitions for virus, malware, phishing, etc.)
• Letting employees know that it is okay if accidents happen (accidentally opening phishing email or installing malware), and giving them the steps that they can take if they occur.
Dhaval Patel says
I Andrew,
I like the idea of using different formats, most corporate trainings are stale recorded PowerPoint presentations which are not entirely effective in keeping the audience engaged and knowledgeable of the security practices.
Alexander William Knoll says
Hey Andrew,
I can’t stress the importance of your last point. If an organization scolds an employee for accidentally opening up some scam mail, it would lead to more harm then good. Instead of participating in an organization’s attempts at awareness, it may instead just cause them to develop resentment.
Victoria Zak says
Andrew,
A consistent schedule of security training and awareness is a great idea. This helps management provide a transparent way in when and what day to complete the training.
Dan Xu says
Hi Andrew,
I agree with what you said. Regarding training time, relatively short sessions can be more productive compared to long time, boring training. And specific definitions of the terms used in safety education training are important, which shows the need to spread the basics of safety education training and awareness.
Kelly Sharadin says
The best approach to improving security education training and awareness is to incentivize these initiatives across the organization. Employees need to feel a sense of shared responsibility concerning security. Creating programs designed to reward reporting of suspicious emails, phone calls, or learning new security skills aside from just mandating quarterly training videos can result in behavioral changes toward a security-first mindset. These incentives can manifest as stipends for users who become security point-of-contacts for their department by helping others update software or report security incidents.
Quarterly meet and greets with the security team are great ways to build a cross-functional relationship between security and other business functions. By allocating face-time between the security and business operation teams, each has an oppportunity to learn each others role and how to effectively integrate security. Employees may be more inclined to reach out to the security team if they have established a relationship. Too often, security is isolated from the organization, which can lead to an out-of-sight, out-of-mind mentality for security. In sum, to enhance security awareness, it is best to take a ‘people’ first approach and focus on fostering strong relationships between the business and security teams.
Bryan Garrahan says
Thanks for sharing Kelly. I too suggested that incentivizing employees is the most productive way to achieve greater security awareness. I’ve seen organizations that treat security awareness as a test where if you don’t pass you are reprimanded. I think organizations are shifting away from this approach as they adopt and/or evolve their SETA programs because it can really be an employee moral killer. In most cases, organizations found that if employees feel they would be reprimanded for falling for simulated security exercises this actually has the opposite effect, which makes users less likely to participate in strengthening organizational security and report potential threats.
Wilmer Monsalve says
Security training improvements that can be made to the establishment I know well includes:
– Phishing email tests( company sends phishing email to a handful of employees if they click on the link they fail but if they don’t they pass)
– social engineering avoidance tactics(clean desk, don’t open doors for anyone you don’t know)
– Understanding of cybersecurity policies
– weekly cybersecurity advice emails
– Courses and modules for cybersecurity
– A 1-2 week training course on cybersecurity
Kelly Sharadin says
Hi Wilmer,
I also agree that a weekly or bi-weekly cybersecurity advice/current events newsletter can significantly enhance security awareness across an organization. For my in the news article, I shared that many Americans are still unaware of the frequency and magnitude in which cyber attacks occur. A simple paragraph sent out to employees to remind them is a low-cost initiative to keep security top of mind. The question I still have is who would own the newsletter. Would this be the responsibility of the communications team, CTI, or general security to create and disseminate? That exercise alone could help bridge the gap of security awareness between different departments.
Kelly
Wilmer Monsalve says
Hi Kelly, I guess it could be sent out by whoever is constantly updating the home webpage of the company’s intranet home page. Usually IS would be updating the webpage in my company so I guess it would be a mass email to all employees from IS on key reminders for the Weekly tip of the day.
Victoria Zak says
Wilmer,
Phishing email tests is the key. If an employee reports it, this will report back to IT and see how many employees reported the “malicious” email. From the reports, this can provide an idea to management of how many employees are reporting the emails in order to provide more training or not.
Ornella Rhyne says
I would improve the security training by sending out a phishing email purposely every quarter to see if employees catch the phishing email. With this strategy, the company will know who failed and who was successful in deleting the test email. Whoever fails the test must retake the course within the next month.
I would also come up with courses or trainings that are interactive for employees. In other words, courses that talk about real life situations. There could also be innovative games that are easy, understandable, and entertaining so that employees can implement these into their behavior and are more aware of possible security threats.
Another way I would improve security awareness is to also send out monthly emails to all employees that would share new security threats to be aware of and to also remind employees of best practices when it comes to security.
Matthew Bryan says
Great point on interactive games. Including different modalities that are active and passive helps to reach people with different learning styles. Keeping it fun is crucial as trainings can dry and people can quickly lose interest.
Antonio Cozza says
Hi Ornella,
That is a great point you make about making interactive training. It will more than likely address the pitfalls that deter most people from caring or paying attention during these types of trainings; they are relatively boring and painful to listen to and ultimately just feel like a waste of time because the target audience is not really engaged. Making it more engaging would definitely make the material more easily relatable and memorable, which people would probably put into practice.
Miray Bolukbasi says
Hi Ornella,
It’s a really good recommendation you made here. I feel like some organizations are really taking care of the training and education a lot but never test their employees afterwards with real examples. To make sure trainings are designed and implemented well, it is really important to see if employees are ready for the tricky games could hackers create.
Alexander William Knoll says
Ornella,
I love the idea of innovative games, and wish its something more organizations would implement. Sometimes it’s nice to just have a break from work, and something simple and fun can often be an awesome way to make people care and improve their awareness.
Matthew Bryan says
For my organization, I would recommend investing in defining company policy and clarifying roles so that training efforts can be more effective. Current training efforts are not as effective as they could be since the policies are ambiguous and roles have not been updated to match company growth. This means that some training modules are only partially relevant and employees are unsure how they fit into the content that’s being presented.
To help with this, a full assessment of the company’s policies, organizational structure, business processes, and IT governance should be completed so that security awareness training can be revised and realigned to them. This will help the company to shift from reactive training practices, e.g. someone is phished and now everyone must watch a video, to a more proactive and aware user base that understands their part in securing company assets.
Michael Galdo says
Hi Matthew,
I believe it is important that company policies and regulations are set in stone before moving forward with training efforts. Doing this will allow the company to have a better idea of what concepts and points that the training should focus on, and what knowledge is the priority for all employees to know.
Corey Arana says
I would approach training and awareness in a few ways. I would create a security test to see which employees are in need of more training. Enhance security training programs and courses. Create a better learning environment for employees. I would have the CEO and other top management of the company send out weekly emails regarding security. I would also have top management lead classes to show the real importance of security.
Ornella Rhyne says
Corey
I like your point about sending out weekly emails to employees. We always need that reminder when it comes to security awareness. We may be the most knowledgeable person about information security system but we sometimes click on phishing emails inadvertently so having people in charge of reminding other people is very important. Don’t you think all employees within the company need a security test? I know you mentioned “creating a security test to see which employees are in need of more training” but I feel like everybody will need that test with no exceptions. Threat are everywhere so everybody needs to be aware of it before it gets worse. Don’t you think so?
Corey Arana says
Hi Ornella,
I agree, having everyone take a security test should be mandatory. Everyone is responsible for the security of the company and it would benefit everyone. Threats are everywhere and sometimes we need the reminder to be safe. Weekly security emails would help keep a company safe. Do you have any other ideas for a company that would keep them safe with security?
Olayinka Lucas says
Hello Corey, your approach is excellent, but if I may add. As much as employee involvement is the necessary path to program improvement, I believe owner buy-in is the essential factor for enforcement. My opinion is premised on the fact that, Regardless of how perfect a training environment or program is, employees will only participate if they identify the benefit or the consequences of non-participation. This is why we have organizational policies or awareness and training, and even CPE requirements for training attended to mandate compliance and implementation
Michael Galdo says
In order to improve the security education training and awareness in the program I know well, I would start by sending out a survey to employees in order to gather data on how much knowledge and awareness of IT regulations and standards the organization has. I would create a training program based off of this information and make it mandatory for all current employees and new hires. This training will consist of concept videos as well as in-office workshops. I would also have emails sent out consistently relaying security news and breakthroughs in security protection. Reminders can also be sent out warning people of password changes and phishing emails.
Vraj Patel says
Hello Michael,
That’s a great idea to send out an survey. It would provide an management of an idea of how well the end users are if there would be an security incident. The another thing that I would consider in is that not every one might take a survey so I would recommend to have a quiz at the end of the training to ensure that they were actually focusing while taking the training.
Ryan Trapp says
I think the best way to improve the security education training would be by increasing the frequency in which the training sessions occur. In my experience, the organizations I have personally delt with have their cyber security trainings in an annual or bi-annual fashion. The trainings need to be more interactive and frequent for it to really engage with everyone. For example, instead of having an hour training session in which someone presents the information, you could implement a shorter training session that is more interactive through games and quizzes for small prizes.
I also would ensure that employees would be met with positive reinforcement for reporting cyber events, rather than “punishing” those individuals with additional training. For example, if someone falls for a phishing email and enters in their credentials on a fake site but realizes it afterwards, they should not be made to feel like they are foolish for doing so. This person will already be embarrassed and if the culture is created in a way where people are punished with more trainings by coming forward it will cause less people to come forward when these events occur. Making sure all employees understand they are part of the security team and helping them learn and grow in an engaging way is crucial for the success of security awareness at a company.
Christopher Clayton says
Emphasize to staff how important cybersecurity is to the success of the business and remind them of best security practices; have security education training material readily available for staff (i.e. study guide, cheat sheet); establish security baselines and awareness by reviewing security policies and procedures on a regular basis; include testing (planned and unplanned) in awareness training after each lesson to determine which workers need extra training.
Ornella Rhyne says
Hi Christopher,
I like your point about giving them a test after each training lesson. We all know that sometimes trainings are boring and could be a waste of time. Having a test will be very helpful to know who actually paid attention and who did not. That way if you have more people that did not pay attention to the trainings very well, you can come up with other strategies to make it more interactive.
Mohammed Syed says
To improve approach of security education training education and awareness program I will go with few different approaches which is very effective with regular SETA program. Such as,
Most of the cyber security attack successful due to mistakes of human, human behavior is one of the vulnerable faction in most of the attack, When attacker fail to breach security of network then they go for insider attack, which is success rate is very high and critical to detect, to protect organization from insider attack we can focus on employees behavioral change, it is one of the most dangerous threat for the organization because ahead of insider attach all security software and hardware devices are failure. Also check social networking behavioral of disgruntled employee which is vulnerable to organization.
Always give priority to continuity and training regularity as per schedule, improve importance of security training education and awareness program for each and every employee cause due to one mistake whole company security are breach.
Scheduling the fake phishing and social engineering attack scenario for check employee behavior and skill testing purpose. It give exact idea about organization employees what do in real situation when happen with him, how to react or response is very important to know behavior and skill of employees which is most important to decide what will be change in design of security education training and awareness program. As per overall report we can finalize next appropriate approach of SETA program.
Need to try improved employee attitude toward the security policy also make sure that SETA covers everything relevant to organization working it important to effective completion of SETA program
Andrew Nguyen says
Hi Mohammed,
I like how you included a few things in your post, specifically that continuity is important for an effective SETA program. For example, consistently scheduling fake phishing emails for all employees is a great way to ‘keep them on their toes’ and makes sure that employees are aware of their actions!
Phishing emails also are a great way to measure metrics; over time, a company can see the percentage of how employees that fall for the fake phishing email attempts, and this can help guide them in making potential changes to their SETA program in the future.
Thanks for sharing your thoughts!
Best,
Andrew
Michael Duffy says
An organization right now that I know:
Currently they do well with annual trainings and requirements – but these are not engaging nor emphasized by upper-management relatively at all. Before focusing in on awareness and training I would want to centralize an easy to read resource that is written towards to general end-user. Similar to a website or wiki that would is easy to locate as an resource if the user is unsure of procedures such as identifying phishing emails, sharing company computers, and etc.
After centralizing an resource I would like to promote events and knowledge shares on an semi-annual basis to try and capture/engage personnel to become more involved with cybersecurity. I would also like to implement weekly in-the-news articles centered around real-life examples of common malpractice that leads to exfiltration/data breaches. Essentially, I want to capture the attention of the end-user and show them not only how it’s intriguing that this does occur but why and how it has also occurred at other organizations similar to their own.
I would also work with management to be more actively engaged in highlighting responsibilities and focusing on individuals that have displayed negligence in Cybersecurity awareness. Management has an very important role to ensure that employees are not only following policy and guidance from the organization, but keeping their subordinates motivated and actively engaged with their responsibilities.
Alexander William Knoll says
Hey Michael,
You make a ton of good points. I can’t stress enough the importance of upper-management being involved. I also knew an organization that would do annual trainings and things like that, but it was pretty much the bare minimum. Because of this, they eventually had a small breach because employees were constantly falling for phishing emails. If the people at the top don’t care enough to spread awareness on the matter, how can you except anyone else in the organization to?
Michael Jordan says
To improve the security education training and awareness in this one organization that I know well, I would start at the very top, by educating the owner of possible implications and severity if any of the CIA trio was compromised. For example, relaying to the owner that large monetary or reputational loss could come should an IS breach occur, and how it could happen to his/her organization in specific due to the industry they are in and technology they use.
I would then recommend (after this individual is educated themselves) that the owner educate their employees, reinforce the severity of the topic of IS, and consistently test their employees knowledge and dedication to IS by sending fake phishing emails and social engineering exercises. I also would recommend sending out weekly or monthly IS newsletters that include recent cases of breaches in the news, the repercussions, and methods of prevention.
In general, I think that IS education and importance flows best through an organization when it starts from the top, clear policy is in place, and the importance and severity of a potential breach is reiterated through real-life cases and recent news.
Ryan Trapp says
HI Michael,
I like how you mentioned that you would start with the top of the organization when it comes to educating on cyber security. The security posture of a company is really something that comes from the top so it is important to have those stakeholders fully invested. If the top of the organization is relaxed on security or does not feel that it is important then that will surely trickle down throughout the company. Also having them understand the importance of IT security will ensure you will continue to have the resources you need moving forward to help maintain and improve the security at the company.
Olayinka Lucas says
Hello Michael.
Well said, the management or owner buy-in and approval should always be the first approach. Management should then create policies and procedures to articulate the importance of the program but not to train the employees as stated in your write-up. The trickle-down implementation methodology only relies on management for program support before delegation and not the active implementation of the program.
Olayinka Lucas says
A recent assessment of the Awareness training capability of the organization I currently work for revealed the underlisted strategy to improving the company’s security awareness and training program:
1. Management Visibility – Encourage management visibility awareness and ensure continuous management buy-in and support for program improvement
2. Prioritize high-risk groups prioritization – Ensure the administration of adequate roles and tools-based training approach to teams that address organization mission-critical goals and objectives
3. Leverage storytelling – Use scenarios and real-life occurrences as a means of benchmarking the current state with the target state of the training and awareness program
4. Prepare employees for a data breach – In-house simulations of breaches, attacks, or even tabletop testing to create near-to real-life situations.
5. Identify security awareness champions – Delegate and create roles and responsibilities which would serve as awareness and training champions within the organization.
6. Involvement of suppliers, vendors, and 3rd party training experts external to the organization
7. Periodic assessment of the ongoing training and awareness program to ensure it meets the current threat landscape applicable to the mission-critical activities of the organization.
Michael Jordan says
Olayinka,
I think you made more than one good point in your post. To start, management visibility is key, because employees are much more prone to take things seriously if they know upper management does too and is looking for it in their workers. I also like how you mentioned storytelling, because there are so many real-life stories of IS breaches and ransomware attacks in the news that deal devastating blows to companies that could be told in intriguing ways to even non-tech employees. This also highlights the potential ramifications of a breach, and might get questions flowing in employees about ways to prevent breaches and response methods. All the other points you made are important too, but these two stuck out to me the most when i was reading.
-Mike
Antonio Cozza says
How would you approach improving the security education training and awareness in an organization you know well (e.g. Temple as a student) but you will not name in your answer post and comments?
To improve security education training and awareness in the organization in question, I would start similarly with how I answered the first discussion question – make sure that all end users are aware of security concerns regarding their day to day operations, and that each individual’s actions affect the totality of the cybersecurity state of the organization. After that, I would take a simple topic each week regarding information security topics and common errors that are made in many organizations and contribute to problems over time. Examples of weekly topics could be tailgating, phishing, MFA, policies that everyone signed and most did not read, etc. The company has had high success with internal phishing emails sent to employees and the vast majority do not respond, but I would not slow down with sending them as it is still a major problem in the security threat-scape today across the globe. I would also add another visual method of receiving information regarding security, as there is already hands-on and audible learning in place; perhaps a brief pamphlet that follows up with more information from the other trainings that relates to some sort of current event in that topic if possible, as it is easier to understand in a context different than just something people had to attend or read as part of company policy. This method could be more appealing and receptive, making it remembered more effectively as well.
Olayinka Lucas says
Hello Antonio,
I believe that the question to ask here would be, How would you make sure that all end users are aware of security concerns regarding their day-to-day operations and that each individual’s actions affect the totality of the cybersecurity state of the organization? The answer is that management or owner buy-in should be the foremost approach while adopting a bottom-down approach. To improve whatever is on the ground or create it from scratch, it is essential that all the stakeholders, whether employee or employer, must be onboard. Regardless, the program only succeeds if management support is in.
Joshua Moses says
I would approach improving the security education training and awareness in an organization by helping the end users quickly apply what they have recently learned. Timing and precision of training is very important. The aim is to trigger a behavior change in the end users. Ideally the delivered information should be actionable in the immediate context of the training. For example, if some users are susceptible to falling victim to a phishing attack, targeted training on phishing attacks should follow after a reckless click or breach of sensitive information; such as a password.
Ornella Rhyne says
Hi Joshua,
I like your example on phishing attack training. We sometimes click on emails inadvertently so having a great training maybe each 3 months will be very helpful. Do you have any other ideas on improving a security training awareness?
Madalyn Stiverson says
I would recommend making the trainings more engaging. It is very easy to either test-out or skip through all the training content. I find that when trainings are in video form, I remember the trainings much better.
In addition to that, I feel the training frequency is low. I have not seen a phishing email simulation test for over a year. Phishing is one of the most common ways hackers gain access to networks, so it is important employees are well versed in how to identify and respond to phishing emails. Especially as those phishing emails become more sophisticated! The other day, I received a phishing email that was targeted at cybersecurity professionals. The InfoSec team confirmed it was malicious.
The company needs to develop additional ways to keep cybersecurity at the forefront of employees’ minds. Pre-covid, when we were in the office, there were posters hung up, which is one form of awareness that is lacking now that employees are no longer traveling to the office (or going to the office on an extremely limited basis). This could come from hiring vendors to do live trainings or enlisting your own infosec people to do in-house trainings and meetings.
Richard Hertz says
I like your recognition of the issue that keeping this current and in the forefront of people’s minds is critical. My company used to have posters and visuals to help people realize the importance of cyber security and the move to remote work took away that mode of signalling. We have also struggled to adequately maintain awareness of cyber issues beyond the scheduled trainings!
Joshua Moses says
Madalyn, your post is utterly and completely true. I can recall doing training that were extremely easy to skip through. & after the fact, there were a few questions which were common sense. The passing score was 80%, and I got 100% without thoroughly going through the material. However, I have also seen the contrary with other onboard training. I think you’re correct in saying a video format would pretty much force someone to be more engaged.
Also I agree with your point and I think that is imperative for employees to be able to recognize phishing emails. Moreover, due to covid there’s also a need to figure out other innovative ways to bring IT security to the forefront now that visual aids in the office is of no use to the end user working from home.
kofi bonsu says
Security is not being just a technical headache in any organization . But It’s also a people problem that could impact negatively toward effective and efficient running of an organization, Hence, keeping the people side of the security equation in a robust manner undoubtedly demands that all people in the organization have an awareness and education of security understanding . This is why security awareness programs are so important in that organization I am working currently. The goal of a security awareness program as someone may have guessed is to increase organizational understanding and practical implementation of security best practices. A program like this should be applicable to all manners of employees including all hires that is new and old, across every department, and it should be reinforced on a regular basis within my organization to keep people abreast of current trends in security implications.. A security awareness program is a way to ensure that everyone within the organization has an appropriate level of know-how about security along with an appropriate sense of responsibility. The way we see it, the first line of defense in any security posture is your controls: how you enforce security best practices and prevent successful compromise. The second line of defense is detection: how you catch attacks or attempted breaches, or how you know whether your controls are working. The third line of defense is the employees how aware they are of security education and awareness of numerous training across the various departments. And what they are doing to avoid being a weak link. A good security awareness program should protect your third line of defense by educating them about the first and second lines and giving them the tools they need to do the right thing day in and day out.
Security awareness programs are important because they reinforce that security is the responsibility of everyone in the company (not just the security team). Below, explains how to set up a training and education program and how to maintain within my organization A security awareness program should have some major elements.
In the first place, Security awareness and training should play pivotal role within organization IT conversation at all times. This means senior management must regularly communicate to all employees that security is essential to running the business. This can take the form of company-wide emails, presentations, brown-bag lunches, or some combination of the above. The key is to make sure that communication is clear, regular, relevant, and interactive (read: not boring).
Furthermore, there should be a series of checklists that the organization can use to make sure that security awareness practices are being actively spread throughout the organization in a systematic manner. This will help the company stay organized when it comes to developing, delivering, and maintaining a security awareness program. This checklist could include:
What to do when a new hire starts (and when an employee leaves)
When and how often to remind employees of security protocols
What to do when an incident takes place
How to communicate with customers or partners in the event of a breach
Miray Bolukbasi says
As I mentioned on earlier comment for one of my classmates’ post, I feel like we often see the lack of testing and control for the training and educations. Employees – especially C-level executives might not want to be examined on someone they learned later on their career, but it’s important to decide whether employees clearly understand the recommendations and rules they have to apply to secure the business assets. I think examples of suspicious emails such as phishing and other scams included files should be sent out the employees to see the level of awareness they have prior and after the training. That way, once real incidents occur, the IT staff would not be surprised by the amount of breaches and incidents happen.
By improving the education and training it is not necessarily mean the content change on it, but amount of you offer the training to the users. As human error creates the risk for the enterprise at the most, you need to remind the procedures and precautions your employees are responsible of regularly.
Vraj Patel says
For the organization that I know I would improve the security education by providing the training more often as a once every year. This way the end users would be aware of the security practices within the organization. I would also recommend for them to add more content in the training as the different types of attack that the end users could be a victim of as a vishing or other types of attacks. I would also recommend for them to review their security policies at least once in a year and keep them updated.
Jason Burwell says
Hi Vraj,
Updating the security policies is a great point and often overlooked. The policies need to keep up with what threats may be coming out and by consistently updating the policies the organizations gives itself a better chance of being secure
Dhaval Patel says
For the organization I know well I would conduct the following to improve the security education training and awareness:
– Make the policies more public within the organization
– Require training quizzes quarterly
– Send out emails or post any policy changes on the company intranet
– Conduct phishing tests organization-wide and social engineering tests for the sales teams and those that are customer-facing.
– Redesign training material to make it more interactive
Lauren Deinhardt says
Hi Dhaval. Great points! Another point to consider is implementing a behavioral management tool, or any type of innovative tool similar to provide another layer of insight when orchestrating a SETA program. Great job!
Lauren Deinhardt says
One organization I know well that can use enhancements in their cybersecurity training will be further referred to as “the institution”. In the past, the institution has fallen victim to a publicized ransomware attack, as well as innumerate phishing schemes, The institution is a school, and did not have any sort of student-based annual security awareness training. Using guidelines from John R. Vacca’s Computer and Information Security Handbook, 3rd Edition, I would implement a security awareness program using an annual web-based interactive games/quizzes training session (not more than 30 minutes long to keep students engaged), applying InfoSec posters on campus, and posting monthly security trend/best practices email tips for students to review. In addition, administrators, staff, and school stakeholders will also receive their own form of security awareness training, targeted at their roles and responsibilities. There should also be an annual security event mandatory for all students/stakeholders to attend, specifically targeting phishing (since this is a vulnerability observed in prior incidents). The institution’s InfoSec team will also be trained in preventing unauthorized emails from entering the institution’s private server, and should implement a behavioral management tool to assess the institution’s likelihood to fall victim of phishing attacks and learn how to further prevent this issue.
Bryan Garrahan says
A company I used to work for actually uses a tool within Microsoft Outlook to send simulated phishing emails to employees to try trick them into clicking on a suspicious link. The link isn’t malicious however when clicked a pop up display appears and the user is informed that it was a fake phishing email and similar links like it should not be clicked. They started using the tool around 3 years ago and it amazed me how sophisticated our Security team became with the tool. The initial fake phishing emails were somewhat laughable at first (at least to me) but I must say it became increasingly more difficult over time to determine if an email I received came from the tool or from an actual threat actor. There’s a “report email” button within outlook, and when clicked, will inform you if the email came from the phishing simulation tool. While I think the tool itself is a very good security practice to raise security awareness for users I think it could be enhanced by providing incentives, such as gift cards, to users who report these suspicious emails. I think it would be cool to make it a competition amongst employees within the organization by sending periodic fake phishing emails and from there you can determine which users reported the most fake phishing emails and reward them.
Miray Bolukbasi says
Hi Brian,
I agree that phishing simulation tools should be in place for daily operations and emails sent to test out employees is a great way to start. Gift card recommendation also sounds like it would definitely increase the competitiveness between employees and make the tool even more beneficial. The only thing I would add to this is the follow-up with the failed employee to phishing email. Offering rewards to successful employees is cool but failed employees also should be trained to eliminate the risk as much as possible. There should be a limit of failure amount so you can decide on the employees that require additional training in addition to notifying them.
Michael Duffy says
Hi Bryan,
That is actually hilarious and also an awesome way to not only prevent phishing attacks by honing the organization end-users – but also a great way to identify individuals within the organization that may be struggling to identify fake emails. I wonder if they could also do the same thing with the IT team on who can make the best “fake” email as well. You’re basically doing red team but with… phishing emails. Fun.
Joshua Moses says
Hello Bryan, I actually have experienced these fake phishing emails before myself. & indeed it did make me chuckle. lol
However, I was also a little disappointed in myself. I passed the security+ certification way back in 2013, so an aspiring Information Security engineer like myself should not be clicking on phishing emails aimlessly, if ever! I like the fact that you brought some insight of the security features within Microsoft Outlook. I never noticed the report email feature, but for some reason it also seems like a vague memory (I may have it stored in my subconscious). I’ll be sure to remember and look out for it the next time I see something asking for sensitive information, such as my username or password. Or even a request for me to change my password. & of course a suspicious link.
Jason Burwell says
How would you approach improving the security education training and awareness in an organization you know well (e.g. Temple as a student) but you will not name in your answer post and comments?
I would improve the SETA in an organization I know well by going beyond virtual training. By that I mean I would make sure some of the training is in person. There would be a date decided for each department in the organization, that makes sense for them and would not effect the daily operation, where that particular dept could meet in person with the speaker/trainer for an hour or 2. This could be every 6 months to a year. There would be a presentation and plenty of time for questions and answers, allowing users to further understand the importance of cyber security within the organization. I would recommend a weekly email for all users with a cyber security “tip of the week” that could prove useful in providing users with small but important tips on how to be more secure in their everyday work habits. Every 6 months there would be an online training that needs to be completed with a few questions at the end, users would need a 100% correct answer score to complete the training.
Richard Hertz says
I would take a multi-faceted approach to this problem. I would start with a presentation to all employees highlighting the challenges that cyber security and cyber ‘hygiene’ pose to the organization (30 min). People should understand why the issue is important. I would follow with a short self-assessment of the current state and an articulation of desired or required level of cyber knowledge across the organization (15 min).
Lastly I would move to weekly short bursts of updates (5-7 minutes max) that highlight a specific topic or issue so people are constantly exposed to the need and how to improve their knowledge.
Most of the people in this organization do not have the attention span nor the desire to learn more about this topic. They will verbally acknowledge the importance but not really dig deep and change behaviors. As a result I think that consistent pressure to make small changes and increase awareness are the best vehicles to introduce a higher level of cyber security practices in the organization.
Alexander William Knoll says
In order to improve security education training and awareness in an organization, I decided to look at my previous job, of course without naming it. This organization is fairly large, and due to the industry it is in, is very prone to cyber threats. A lot of these issues are human error, so despite having a highly trained and educated IT Staff, there is still a ton of issues. This organization needs a complete change of culture, because it does not matter what controls it has when employees are constantly susceptible to phishing attacks. Because of that, I would start by focusing on creating an understanding of the IT foundation. This would need to start at the top. The organization seems to be one that is stuck doing things the old way, and for that the people at the top do not care about cybersecurity as they should, and that reflects poorly on the whole organization. They are the ones that need to be educated first, and they in turn can properly support the organization. If I was able to get them on board, the next step would be to spread awareness throughout the organization. As I mentioned, the IT department is highly skilled, but they do not have the resources. If provided with the resources, I am confident they would be able to take the appropriate measures to improve the organization’s security environment.
Victoria Zak says
How would you approach improving the security education training and awareness in an organization you know well?
The best approach to improving security education training and awareness is to connect and engage with the employee. If an employee does not feel connected to the training, they will not do as well. Approaches are as followed:
Phishing emails, once or twice a month
Webinar
Readings/Videos- Training Sessions
Reward- Positive reinforcement
Checking in with the employee
Monthly meetings
Quizzes at the end of readings/videos
By the results of the approaches, the organization will know how to proceed.
zijian ou says
To be a well-protected company internally and externally, all employees in each department should cooperate with the security department. Regular training is necessary to ensure that all departments of the company are implementing the best safety. “By layering training exercises with ongoing phishing simulations and event activation learning, link training with actual events,
Dan Xu says
To improve the security education training and awareness in an organization I know well, I would.
-Populate the basics of safety education training and awareness with a questionnaire.
-Test the public with phishing emails
-Analyze the results of the questionnaire and develop appropriate courses and seminars.
-Carry out activities related to security education, popularize more relevant knowledge, and determine how the cyber security awareness training program should operate.
-Survey the training participants after the course or event, pay attention to the feedback, and adjust the training in time. This also ensures the efficiency of security education training.
The easiest way to get support for the campaign is to lead by example: ensure participation from the top to the base. When everyone is involved, awareness of safety education increases and losses are reduced.
Bernard Antwi says
Focus on employees’ behavioral change
Training regularly is a must.
Go over the company’s security policy and procedure
Schedule Phishing and Social engineering simulations at random intervals
Being flexible with the corporate culture