When security awareness training started becoming a key project for organizations, infosec professionals had some questions:
- How do I get buy in? Who should I work with internally?
- What should I do? How frequently?
- How do I engage my people?
- How do I measure and share success?
While tools like Proofpoint Security Awareness Training and others have evolved and provide more features, reporting capabilities and content, the questions above have not necessarily been answered. Every organization has a unique culture and operating environment – so the answers to these questions aren’t set in stone.
Over the next few months we’re going to provide guidance for delivering an efficient and effective cybersecurity education program regardless of your program maturity, vendor, or other obstacles you may face. We’ll highlight key facts, strategies, resources, and tips for administrators.
Here are some areas we’ll highlight in more details over the coming weeks.
Structure Your Conversation about Security Awareness
Rather than discussing individual tactics like phishing simulations, training exercises, and presentations, we find it helpful to “level up” your language when discussing your program.
A contextual starting point for any audience is this stat from Verizon’s 2019 Data Breach Investigations Report: 94% of all breaches are from attacks targeting people. While technical vulnerabilities are still important, attacks on people represent a greater likelihood of risk to most organizations.
We think about risk for security awareness in terms of people-centric risk. And we view the individual tactics comprised by three different areas:
- Identify Risk: Find out which of your users are vulnerable to what using tools like phishing simulations, knowledge assessments, and threat intelligence that shows which of your users are targeted.
- Change Behavior: Apply educational and awareness activities like online and in-person training, newsletters, and other materials to drive behavior change and reinforce the expected behaviors for users.
- Reduce Exposure: Reduce your exposure to threats like phishing by providing tools for your users like an email reporting add-in for them to send suspicious messages to an appropriate team and remove them from your environment.
Using this as a framework, you can help discuss your program in a more cohesive way to stakeholders.
Engage (All) Your People
Security awareness training is primarily about end users, but just as importantly, it’s about winning hearts and minds of key internal stakeholders. Without this buy-in, it’s more likely your program won’t start or could get stalled. Here are some departments to consider reaching out to, ideally before but also during your program:
- Email Security or Messaging Team: This team understands your organization’s threat landscape and may even be able to tell you who is being attacked and by what. This will make your program more relevant to your organization’s threat landscape.
- Incident Response or Helpdesk: This team frequently handles the investigation and remediation of messages from the abuse mailbox. If you set up an email reporting add-in and response capabilities, you’ll want to include this team in the process.
- Human Resources: Typically in charge of most company training, it’s great to work with your HR team to fit security awareness training into the overall training program already in place. The HR team can also help promote your program and even communicate about it as part of onboarding for new hires.
- Marketing or Internal Communications: Leverage the creative resources at your disposal, and work with this team to come up with your security awareness theme and customized assets.
- C-Level Executives: The C Suite can make or break a great program. With their buy-in, you’ll get better participation from users with a top-down approach.
Successful Programs Are an Ongoing Process, Not an Event
We hear this story from customers frequently – your CISO has chosen you to select a security awareness training vendor and launch the program. So you do some research, find suitable vendors, go through an evaluation process, and make a selection. After some setup, you send out a simulated phishing email and train those who failed it. Job done for the time being, right? Not quite. Your order, timing, and ongoing engagement are critical to the success of your program.
In our 2020 State of the Phish Report, we surveyed 3,500 working adults in 7 countries and found:
- Only 61% know what phishing is
- Only 31% know what ransomware is
- Only 30% know what smishing (SMS/text phishing) is
Assuming users have a functional understanding of even basic cybersecurity concepts can distort the reality – and it’s why we recommend foundational training on important topics at the start of your program.
But it’s important to maintain the program throughout the year. Just like marketing departments can attest to, your journey to win hearts and minds has just started and initial training can’t lead to complacency. The “Rule of 7” in marketing states you have to get an ad in front of someone at least 7 times in order to get them to engage. People forget easily, are distracted, and have specific ways in which they learn.
Security awareness is just one of the internal programs vying for attention, so it’s important to:
- Keep your message consistent
- Make it relevant and beneficial to your users
- Repeat it continuously and maintain frequency throughout the year
- Utilize different channels to capture attention
What Are Your Organization’s Objectives?
A successful security awareness program should address people-centric risk that does not burden end users and builds a natural culture of security awareness. And setting measurable goals ahead of time is essential to success.
One of the key metrics discussed by administrators we hear is click rate, or the percentage of users who click a link or open an attachment with a simulated phishing email. While that’s one great measurement to take to gauge progress, it can give an inaccurate reflection of user behavior change and when viewed by stakeholders puts users in a more negative light.
Our customers have started to utilize “reporting rates,” or the percentage of users who report a simulated phishing email, as a key metric to demonstrate desired user behavior and to improve stakeholder views of user behavior. Customers who tell stories about users reporting real phishing emails and having their infosec teams subsequently stop attacks help further change a company’s culture and get buy-in for their activities.
There are also other positive indicators to measure program success ahead of time:
- Number of malware infections and user machine remediations
- Time and resources spent on abuse mailbox management
- Number of successful phishing attacks
- Downtime hours for end users
The internal metrics are great ways to demonstrate program success over time.
Follow our blog as we provide free guidance on how to build a successful security awareness training. On May 6, Proofpoint will be holding a Cybersecurity eSummit, including a Panel: Benchmarks & KPIs You Need to Know for Security Awareness Training from 12:45PM-1:45PM Pacific Time. Learn more and register for this webinar here.