5 Ways to Make Security Awareness Trainings Effective

Share this post!

Statistically speaking, 4 percent of people in any given phishing campaign will click—despite what they were told at security awareness trainings—and incredibly, the more phishing emails someone has clicked, the more likely they are to do it again.

PC Corp can provide technical means to deliver automated Security Awareness Training to help make your workforce more mindful of suspect emails and less apt to click on phishing scams. Your employees still play a major role in your I.T.’s security. Regular security awareness training is essential to that. At RSA 2018, the world’s leading cybersecurity conference, a number of expert suggestions for security awareness trainings that actually work emerged.

Here, straight from RSA 2018, are 5 Ways to Make Security Awareness Training More Effective:

1. Treat security like UX

Advocacy Manager of Duo Security, Zoe Lindsey, argued that “the system is people.” In other words, by applying user experience (UX) principles to your security program, you’ll be better positioned to create system-wide change.

The first step to doing so is to stop trying to take a one-size-fits-all approach to security awareness. Instead, create personas—similar to agile methodology user stories—describing how groups of users interface with security. Your historical help-desk data likely has a lot of insight into where groups of users find friction in your security processes. Once you’ve grouped users into personas, you can begin to understand security from their perspective. From there, you can improve your security UX and training materials to meet their needs.

2. Adopt gamification

There’s nothing motivating about awareness. But earning points and beating your coworkers at a little healthy competition can feel deeply satisfying. In “You Cannot Live on Phish Alone,” CEO and President Marie White of Security Mentor, Inc. called for organizations to adopt gamification to create trainings with real impact.

The collision of game theory and behavioral psychology gets pretty complex, but the following e-learning techniques offer some ways to motivate people to complete digital security coursework:

  • Provide progress indicators, such as points, badges, or awards
  • Award competence by creating levels, certifications, or leader boards
  • Support autonomy by allowing learners to choose courses or self-pace learning

3. Measure, for phish’s sake

You can’t know anything about the impact of your security education investments if you don’t measure awareness among your users before and after training. In “Phishing Simulation and Security Awareness Training: Equivalent or Not?”, White called for using measurement to understand the success of security awareness initiatives.

Here are three ways to measure how successful your security awareness initiatives are:

  • Employee reaction: Training engagement, completion, and satisfaction
  • Knowledge: Measurable change in employee knowledge before and after training
  • Behavior change: Whether insecure behaviors, such as opening dummy phishing emails, have actually sunk in

4. Create an ambassador program

According to SANS Institute Director Lance Spitzner, the next step toward security maturity is creating cultural change by building a security awareness ambassador program. Social marketing with ambassadors is a time-tested concept in everything from software implementations to workplace safety initiatives. Studies show up to 15 percent better success rates when “normal” employees are turned into project champions to evangelize to their peers. Peer resources for security questions could be key to changing beliefs, values, and behaviors.

Spitzner also recommends your ambassadors come armed with passion, not tech skills, and commit around 4 hours a month to their new gig. What’s in it for them? Recognition and the opportunity to put valuable cybersecurity knowledge on their resume.

5. Harden the perimeter

Unfortunately, human error is inevitable, even with the best programs in place. That’s why there’s still a need for super secure tech that won’t make mistakes even when your users do. In Dave Hogue’s talk, he focused on ways office IT pros can improve their security posture beyond security training. His tips included:

  • Reducing attack surfaces with stronger endpoints
  • Improving visibility into all parts of the network—gateways, midpoints, and endpoints
  • Updating software and hardware
  • Using comprehensive threat intelligence technologies
  • Thinking like the adversary—constantly curious to discover new threat vectors

People may make mistakes, but no one wants to cause a data breach. It’s time for security awareness training to transform from dull classroom sessions to engaging programs that create lasting change. Humans will never be perfect, but there’s a great deal of room for improvement. Some more creative training techniques, like persona-driven training and gamification, can go a long way toward making security concepts a part of workplace culture.

Of course, training has to exist alongside stronger security technology, like connected devices with embedded security features and increased network visibility. However, investing in end-to-end security while fostering a culture of collaboration will help keep even the most persistent hackers at bay.

TO CONSIDER:

1. The PC Corp’s Network Security Review, provides a detailed analysis of the network vulnerabilities, a summary report and a remediation plan.
2. Arm your employees as protectors of your network with effective automated Security Awareness Training.
3. Enhance the level of security protecting your network with PC Corp Managed Security, a layering of new technologies that enhance the traditional tools and are utilized to better protect a network against cybercrime inside and out.

 

Does all that sound complicated?  It doesn’t have to be.  PC Corp can help you Make I.T. Easy.  Contact us at info@pccorp.com.

 

Article Source: https://www.tektonikamag.com/index.php/2018/05/08/rsa-2018-5-ways-to-make-security-awareness-trainings-effective/

Small Business

Education

Government

Enterprise