From the Infosec Files: Overcoming Obstacles
Every security awareness training program has its challenges. Such is the case when attempting to educate a group of people with different job functions, different skillsets, and different attitudes — and that’s just the Accounting department!
We know your pain — so we set out to help alleviate it. We recently asked several infosec experts to highlight the techniques and tips they’ve used to overcome common obstacles associated with cyber security awareness and training. Here are three pieces of day-to-day, planning, executing, measuring, headache-avoiding, behavior-changing, best results you ever shared with your Board...infosec advice.
Build a Relationship With Corporate Comms
You’re getting ready to send out a company-wide email to prime everyone for the new cyber security program when…boom…out comes a message from corporate about a month-long health and wellness initiative. Or an email about a new acquisition. Or an email to kick off an entirely unrelated educational program.
These types of conflicts are very common — and they can be counter-productive to program success. “We seemed to always be bumping into our corporate communications team from a scheduling perspective,” one CISO told us. “It certainly wasn’t intentional, but it caused some stress and irritation on both sides. It made things feel like an uphill battle.”
The key to improvement, the CISO said, was starting a conversation. “We just needed to communicate with one another to make sure we didn’t end up inadvertently stepping on each other’s toes. So we worked together to create a communication plan that minimized conflicts and overlap with other high-level initiatives,” he said. “The simple act of coordinating with the corporate team made everything much easier for us. It also lightened the load for our employees because they weren’t suddenly being bogged down with multiple messages and multiple action items. A classic win-win.”
Banish the Prairie Dog Effect
What, you might ask, is the “prairie dog effect”? Picture this: You send out a phishing email to all your employees, and it lands in their inboxes just after lunchtime. Someone clicks the email and receives an alert letting them know that they mishandled the message. Up pops the head of that person, who says to anyone within earshot, “Hey, don’t click that email. It’s a trap!” Heads pop up all over the office, and pretty soon, the cat is so far out of the bag that she’s in a new zip code.
This is the prairie dog effect.
Many times, the effect is relatively contained; one person tells a couple people, and it dies down from there. However, as one infosec officer’s experience shows, it can easily get out of hand. He shared the story of an executive assistant who clicked on a simulated phishing email and received a pop-up alert. She quickly wrote an email and sent it company-wide, telling people not to click.
“Certainly, she thought she was doing something helpful. So we couldn’t really fault her for that. And it’s not like you don’t want people to talk to each other about phishing emails. In general, talking is good because it means there’s more awareness, that people are getting it,” the infosec officer told us. “But in a ‘prairie dog’ scenario, it’s almost like one kid giving everyone in the room the answers to a pop quiz when the teacher isn’t looking. Sure, it’s going to look to the teacher like everyone understands the subject. But do they really? Probably not.”
So how to fight this phenomenon? Preliminary communication is one useful approach. “Before you launch your program, it’s a good idea to let people know that awareness and training exercises are coming,” the infosec officer advised. “In that communication, you should stress that employees complete their exercises individually and avoid sharing answers or advice with one another to ensure that you get a truer sense of knowledge levels and vulnerabilities.”
Administrative tools can also help minimize the prairie dog effect. One CISO offered the advice of assessing only 20% of the employee base at a time, which spreads out the assessments and gives fewer people something to talk about. Another option is a feature like Wombat’s Random Scheduling service, which allows program administrators to stagger the delivery of simulated attacks and slate deliveries for off hours (within users’ native time zones).
“A message that lands in every mailbox during the middle of the workday is far more likely to raise suspicions and spur a prairie dog effect. I have literally been at a company luncheon where 30 or 40 mobile phone notifications went off almost simultaneously,” the CISO said. “Needless to say, these situations impact the integrity of your results and can leave you with a false sense of security.”
Raise Training Completion Rates
Even when training is mandatory, it’s not necessarily easy to get employees to complete their assignments. A few of the CISOs and CSOs we spoke with agreed on a common strategy: asking managers to get involved.
“If possible, it’s to your advantage to have training assignments come directly from managers rather than from a ‘faceless’ IT email address,” said one CSO. “We’ve seen better early completion rates with this sort of setup, where assignments go from IT to vice presidents and directors, who then cascade them to their teams.”
“Of course, that type of setup can be a challenge — if not a nightmare — for administrators,” said another CISO in response. “It’s understandable that an administrator would want to manage and track distribution of assignments.” But that doesn’t mean that managers can’t be involved.
“Even if they don’t directly send the assignments, managers can still be part of the process,” the CISO said. “Their actions can definitely contribute to completion rates. We instruct all of our managers to acknowledge the importance of the program, encourage their staff to complete training, and lead by example.”
Stay tuned for future installments of “From the Infosec Files,” where we’ll share additional advice and insights from CISOs and CSOs who are using the Wombat Continuous Training Methodology to deliver security awareness training.