Welcome to the first installment of our three-part blog series.
Cybersecurity Awareness Month is an excellent time to rejuvenate your security awareness program. But how can you sustain the momentum of Cybersecurity Awareness Month beyond October? Try adding threat intelligence to your program. It can personalize and invigorate your curriculum for your users.
Integrating threat intelligence into security awareness seems intuitive—and many practitioners claim to do it. But data suggests otherwise. Research Proofpoint conducted for our 2023 State of the Phish report found that while 75% of businesses faced business email compromise (BEC) attacks, a mere 31% trained their users about this threat. This indicates that while many businesses are aware of emerging threats, they struggle to weave this information into their training modules.
This blog post delves into best practices for using threat intelligence to raise security awareness with users. It includes insights from a customer session we held during Proofpoint Wisdom 2023 entitled “Utilizing Threat Intel to Design a Program that Works.” During that session, I spoke with Andrew Munson, senior manager of information risk management and governance at McDonald’s Corporation, and Shaun Holmberg, IT security analyst at Commercial Metals Corporation. Both provided insights into how they infuse threat intelligence into their global security awareness initiatives.
Understanding threat intelligence
Threat intelligence is the knowledge and analysis of cyber threats and vulnerabilities that can pose a risk to a business. This information includes details about the attack lifecycle, network architecture vulnerabilities and which users are being targeted. The intel should also provide details of the risk level or the consequential impact that a successful cyber attack may have on a business.
This information can be gathered from various sources. According to Shaun and Andrew, examples of optimal sources for intelligence are:
- Research reports. These resources include, but are not limited to:
- State of the Phish from Proofpoint
- Verizon’s Data Breach Investigations Report (DBIR)
- FBI Internet Crime Report (Internet Crime Complaint Center)
- Coalition’s Cyber Claims Report
- Security feeds. Proofpoint threat intelligence services, Rapid7 and Cyber Reasons are examples of providers of these feeds.
- Incident reports from products. These reports include Proofpoint Targeted Attack Protection reports, Proofpoint Closed Loop Email Analysis (CLEAR) and other reports related to the penetration testing of a company’s infrastructure.
Why is threat intelligence crucial for a security awareness program? Let’s dive deeper into this subject using insights from the recent discussion with Andrew and Shaun.
Making threat intelligence actionable
At McDonald’s, Andrew works with departments across the globe. Each region has its own requirements and is targeted with threats specific to an office. This is where working with a resource like the Proofpoint threat intelligence service team can create significant benefits for security teams.
Andrew described how working with our team gives him an advantage. He said the Proofpoint threat intelligence service team can analyze data across the globe to correlate attacks that may be affecting a single region. For example, they can recognize a targeted attack specific to Germany, which differs from an active attack they’ve identified targeting Austria.
Andrew said he uses this data to build separate simulations that mimic the active attack for each region and launches an auto-enrollment training session tuned to recognizing the attack indicators. He can also provide resources like notifications or informative newsletters, all within the region’s native language.
He mentioned that working with an external threat intelligence team saves his team a great deal of time and resources. He doesn’t have to conduct analyses and correlate data to justify his plan. He can stay ahead of threats so that education remains relevant to the current situation, which best positions his users to recognize attacks likely to impact them.
Shaun echoed these points and noted that he is a power user of Proofpoint CLEAR. His company’s users report messages using PhishAlarm. The messages are analyzed by threat response analytics and classified. The intel is sent back to the administrator and end user.
Shaun pointed out that the notification to the end user is crucial because it reinforces good behavior. If the user clicks on a malicious link by accident, someone from Shaun’s team will contact the user to discuss the mistake. This interaction between the security team and the user helps drive home the point that cybersecurity is a shared responsibility. Shaun said he is a big proponent of open communication between the security team and end users.
Additionally, Shaun noted that his team analyzes user-reported messages that the email security solution identifies as malicious. He said his goal is to identify trends and find indicators that would cause his users to fall for the attack. Once identified, Shaun and his team send out communications about the threat via email and Microsoft VIVE Engage. He can also take the original email and repurpose it for monthly phishing simulations. In other words, his users are testing themselves against real live attacks.
Here is a summary of four key takeaways from our discussion with Andrew and Shaun:
1: Tap internal and external resources for insights
The latest threat intelligence helps businesses stay ahead of potential threats. Andrew emphasized that it is vital for security teams to understand:
- Where the attack is happening
- What the attack is
- Who is being targeted
- How users are being tricked
Identifying emerging attack vectors helps teams develop proactive strategies to mitigate risks. With immediate user notifications, for example, employees can be aware of attacks that are coming. And they can stay vigilant until a more formal plan is in place.
2: Provide targeted training
Threat intelligence allows companies to tailor their programs instead of offering users generic security training. For instance, if there is a surge in ransomware attacks, employees can receive specific training on how to recognize and respond to ransomware threats.
3: Seek real-life relevance
Include real-world examples and case studies based on threat intelligence in training materials to make the content more relatable to users. In Shaun’s case, harvesting email attacks that have hit some users within the company helps make training relatable to other employees. And live discussions with the security team about an actual attack can help users understand the practical implications of cybersecurity in their daily work.
4: Be adaptive
Threat intelligence isn’t static; it evolves as new threats emerge. Security awareness programs should adapt accordingly to ensure employees stay informed. Andrew and Shaun said they have the flexibility to conduct monthly training. Conducting smaller monthly trainings or launching monthly phishing simulations can make it easier to adapt your security awareness program to the changing threat landscape.
Measuring the impact of threat intelligence
Integrating threat intelligence into your security awareness program is crucial. But you need to gauge its impact, too. Here are some metrics that Shaun and Andrew mentioned during our recent session, along with a few others that I recommend:
1: Phishing simulation and live email click and open rate
Track the percentage of employees who:
- Click on phishing simulation links or open email attachments
- Click on malicious links or open an attachment from their active email
Do this before and after threat intelligence-based training and aggregate the results over time. You’ll know there’s improved user awareness when you see this rate go down.
2: Email reporting rate
The email reporting rate is a success metric that helps you understand if your program is helping you to foster a positive security culture. Track user participation and the total number of real emails that employees report over time. Encourage and empower your employees to take a proactive stance toward helping to protect the company—and themselves.
3: Email reporting accuracy
Track the accuracy of emails that your employees report. Is the email a marketing email? Is it spam? Or is it an actual threat like a BEC or spear-phishing attack? You want your employees to recognize a threat versus a nuisance email, and you want them to report the threat. The more actual threats that they report, the lower the risk that your business will be breached (a real security outcome).
4: Assessment tests
Testing employee knowledge is essential to help determine if your employees retain and comprehend the training that you provide. You will find that many of your employees have varying degrees of knowledge. So, it will be important to augment your security awareness program to meet the individual needs of employees.
5: Employee feedback and culture assessments
Gather qualitative feedback from employees and run ongoing culture assessment tests. These efforts will help you gauge the effectiveness of your company’s security awareness program as well as employee sentiment. What you learn from these assessments will help to guide future improvements and inspire ways to improve your security culture.
Knowledge is power
Incorporating threat intelligence into your security awareness program isn’t just a way to know what threats are out there. It gives you crucial insights to help guide your overall program.
Take advantage of external and internal threat intelligence resources, use insights from this blog, and track key metrics to measure your success. These steps can help you become part of the 31% of organizations that saw they were being targeted by BEC attacks and trained their users to recognize and report them. In turn, you can reduce your risk of becoming a BEC attack victim.
Remember, cybersecurity is a shared responsibility. Your employees are your first, middle and last lines of defense. With the right training informed by threat intelligence, they can become proactive defenders of your business and help break the attack chain.
Want to learn more from Andrew Munson and Shaun Holmberg? Watch the full replay of the Wisdom session, “Utilizing Threat Intel to Design a Program that Works.”
And stay tuned for the next installment of this three-part blog series, “From Indifferent to Impactful Security Awareness Education, Part 2: How to Inspire Engagement.”
Subscribe to the Proofpoint Blog