Reasonable and Appropriate Security: Persistence and Oversight of Security Awareness Training

Share with your network!

‘Reasonable actions’ typically refer to the actions a person or organization should take given a specific challenge or problem. Reasonable (or appropriate) security provides a context for organizations to establish security controls, policies and practices considering their privacy responsibilities and given the threats and risks they face.

Reasonable security definitions vary, but security awareness training is considered part of reasonable or appropriate security by most security organizations, security frameworks and by security/privacy law. It is specified in GDPR, HIPAA, PCI DSS, ISO 27002, GLBA, NIST 800-53 and CCPA. And this is not an exhaustive list.

GDPR specifically designates that the Data Protection Officer ensure “…training of staff involved in processing operations...” and further states in relation to binding corporate rules that organizations have “…the appropriate data protection training to personnel having permanent or regular access to personal data…”

While these statutory requirements can create a need for security awareness training, the evolution of breaches has also provided motivation for organizations to effectively train employees on social engineering threats that could seriously compromise information security and lead to data loss, data misuse and privacy violations. And now, organizations, finding many of their end users working from home, have even more dynamic challenges. Research shows that attackers wasted no time exploiting this situation to their benefit.

And how does security awareness training help? For today and the foreseeable future, the top risk for organizations is their people. In 99% of the cases, research has shown that hackers leverage social engineering via email, text and phone to trick users into taking action that will comprise security and expose private data and intellectual property. By having well-trained people and developing a strong security culture, organizations can create a formidable line of defense that will not fall prey to manipulative and deceiving social engineering tactics.

So, we have a case of ‘we have to do it’ (compliance), and ‘we need to do it’ (threats, risks, global events).  Some organizations have simply implemented security awareness training as annual rite of passage for employees. Many others have greater frequency, but the training topics and content are many times static; further, security awareness training is an island, not integrated into the security infrastructure. These approaches are probably not reasonable or appropriate for any organization. Users are facing a continuous barrage of sophisticated attacks and anyone can fall prey to the ever-evolving tactics of attackers. Security awareness needs to continuously monitor and adjust to real-world threats.  

So, what might be considered reasonable or appropriate when it comes to security awareness training? Given security awareness training has proven ability to adapt to changing threats and thwart social attacks, a reasonable and appropriate security awareness program should include the following:

  1. The security awareness program addresses the organization’s actual threats and covers all staff: Security awareness training should educate users on the threats they are likely to encounter and should involve all staff as anyone in an organization can be manipulated to create risk. As attackers will target certain groups within your organization most find that more targeted training is needed.
  2. The organization continuously analyzes who is being targeted by hackers. Hackers patiently evaluate your organization before launching attacks. They will gather extensive information on your teams and target staff who they believe are vulnerable and have access to private information and/or intellectual property. Organizations can leverage threat intelligence to provide insight on who is being targeted and tailor training based on this information.
  3. Continuous and frequent training based on your organization’s threats: as the old saying goes, “…your mileage will vary…”. Depending on many factors, such as location, industry, press coverage, industry status, regional or world events, etc., your organization will face a dynamic threat landscape. How dynamic is the environment and how should the organization respond? The answer to this question and the reasonable or appropriate frequency of training lies again in threat intelligence. By understanding how fast threats are changing, organizations can provide supplemental and targeted training in a timely manner. This could mean monthly or more frequent activities.
  4. Integration to email security/anti-phishing defenses: Organizations should strongly consider the integration of security awareness training and email defenses. Many organizations still have users manually send suspected phishing emails to a single repository for manual inspection. This creates a tedious process of inspection, classification and remediation. Throughput is challenged by resource limitations and the natural inertia of manual processes. By automating this practice, organizations can have suspected phishing emails automatically analyzed against the latest threat intelligence, and all related emails quarantined in a matter of minutes. And security awareness content can be adjusted based on the analyses of reported messages.
  5. Visibility and awareness at all levels: Visibility is critical to program success, yielding better user participation and retention, and ongoing support from executive management teams. Beyond knowledge assessments and training, organizations should leverage campaigns and reports for positive visibility of security awareness training. Campaigns provide themed tips and insights based on entertaining and engaging content including posters, webinars and podcasts. These provide subtle reminders and reinforcement to users on safe security practices. Reporting helps the organization keep track of the effectiveness of security awareness training. User readiness should be part of quarterly security reports to executive management. Simulated phishing statistics, threat and training reports should be viewed frequently, bi-monthly at least to ensure that all relevant groups understand user readiness, user activity and emerging threats.

Security awareness training is at the forefront of ‘people-centric’ security. Research indicates that people are and will continue to be the primary attack vector of attackers. It is ‘reasonable and appropriate’ for organizations to respond accordingly, and ensure that the content, integration, frequency and visibility of their awareness efforts reflect this reality.

Proofpoint offers a host of helpful resources to help you get started. Get access to them here.