Training New Hires on Security: Strategies for Success

The rise of cyberthreats and the growing complexity of the IT threat landscape means security training for all organizations must be a paramount concern.

Instilling a culture of security starts on day one and partnering with the human resources team to accomplish this is essential -- not just on new hire training, but around the entire workforce security program.

The importance of security is something that needs to be echoed early and often, and ideally, the organization’s commitment to information security will be covered during employee onboarding sessions.

That will be followed with online training that employees complete in their first week on the new job. 

Ben Calvert, chief security officer at Proofpoint, says a great way to ensure your training is useful and relevant to new employees is to start with a knowledge assessment. ‘‘That baseline provides a measure of where the learner’s knowledge is most at risk, and the training content can then focus on those areas,’’ he says.

He adds training should also be interactive -- forcing new people to sit through lengthy security awareness training videos or content that isn’t engaging can be counterproductive. ‘‘It could send a signal that security is unresponsive to the needs of employees,’’ Calvert cautions.

Focus on Catered Security Training

Sajeeb Lohani, director of cybersecurity at Bugcrowd, advises security teams to make training catered to the threats and occurrences they see in practice. ‘‘There are vendors who provide this type of training, which can often aid with decreasing the load of creating the entire training,’’ he says. ‘‘However, catering for specific circumstances is often most effective.’’

For example, if you own an accounting firm, you may see a larger number of phishing emails regarding changes to account details, so you’d train people to detect those scams appropriately.

‘‘The most common threat in the horizon would be social engineering and phishing,’’ Lohani adds. ‘‘With companies like Riot games and Zendesk being affected, it’s proving to be an effective method for attackers to reap value.’’

Bambenek says ultimately, every employee should know about phishing attacks as any employee can be a target.

‘‘Beyond that, the key is training being calibrated to the unique threats faced by specific classes of employees,’’ he explains. ‘‘Employees in finance will see various forms of business email compromise or spoofed invoices. IT and security administrators will see spoofing for authentication failures or security events.’’

Training an Essential Onboarding Component

John Bambenek, principal threat hunter at Netenrich, points out onboarding is the time employees are naturally inclined to be learning yet not fully engaged in day-to-day work.

‘‘Making sure security training is up front when there are fewer opportunities for distraction helps,’’ he says. ‘‘HR should make sure this happens as part of structured onboarding.’’

The security teams and threat intel teams should make sure the training is calibrated to risks relevant to those employees -- the key to any training is that it’s relevant to the employee.

Calvert agrees the topics covered in the training should be driven by the security concerns of your organization.

‘‘Find out from your incident response team what types of events are being driven by employee behavior,’’ he says. ‘‘Your human resources, legal, and privacy teams will also have input for you.’’

Lohani says while security is everyone’s responsibility, training around security awareness is generally owned by the security business unit -- more specifically the security outreach or awareness teams.

‘‘If the company does not have a security team, the responsibility often falls upon the IT team,’’ he notes.

A Positive, Gamified Training Experience

Mika Aalto, co-Founder and CEO at Hoxhunt, advises avoiding punitive based approaches to begin new hires experiences with security awareness. ‘‘Most legacy solutions use a one-size-fits-all model that only engages on failed responses, which leads to employees quickly disengaging with the program,’’ he cautions.

New, successful approaches utilize positive, gamified experiences to equip employees and security teams with the skills and tools to recognize and stop breaches before they spread.

He points out 90% of breaches target employees; and the easiest path to a breach is through employees’ email boxes.

‘‘Changing their cyber behavior is the only successful method to reduce risk of all types of email attacks, from business email compromise to account takeovers to supply chain fraud and ransomware,’’ Aalto says.

Frequent Reporting, Focus on the People Aspect

Calvert explains as with other parts of the security program, the security team can make their training program successful by providing managers with frequent reporting on who is completing the security training.

Security leaders can also provide executive leadership with metrics on how their organizations are performing in completing the training.  

‘‘A culture that values cybersecurity shapes employee attitudes and behaviors,’’ he says. ‘‘When your leaders and employees convey that cybersecurity is everyone’s responsibility and not just IT’s job, employees will do the things necessary to keep the organization secure.’’

Calvert adds addressing the people aspect of cybersecurity is critical given the threat landscape.

‘‘Attackers are targeting people and commonly use social engineering,’’ he says. ‘‘Ransomware can affect any organization, and attacks usually require a person to download a malicious attachment or give up their credentials.’’

Incorporating phishing simulations can train users on how to recognize and report malicious phishing messages to the security team.

Security Training in the WFH Era

Further complicating the threat landscape, the advent of the work from home (WFH) era has removed a lot of the physical risk factors and shifted the focus of attackers toward the way remote user management and resources are protected.

Training has moved further towards awareness for criteria like phishing, social engineering (vishing scenarios as people aren’t as accustomed to asking each other face to face).

‘‘Training should be adapted to educate users regarding the risks of remotely accessing resources, and how they should be accessing these internal resources in a secure manner,’’ Lohani says.

The trainings need to be tailored to an organization's infrastructure, ensuring the users do not need to guess or search about things, but rather can use the training as a reference for the future.

Aalto adds that between workforces becoming distributed and working from home, and the broader digitization of core business workflows including their supply chains, the number of vulnerabilities is higher than ever.

‘‘Today’s training needs to be delivered on both mobile and desktop devices with the ability to utilize modern communication platforms like Slack and Teams, and serve people across multiple languages and geographies,’’ he says.

Bambenek cautions that today, most training is remote, but from his perspective, there simply is no such thing as compelling web-based training.

‘‘The more live delivery one can do, the better,’’ he says. ‘‘Otherwise, it’s annoyed users clicking through as fast as possible.’’

What to Read Next:

Patrolling the Metaverse: Stopping Cybercrime, Training Forces

Closing the Cybersecurity Talent Gap

Cybersecurity Training to Beat the Enemy Within the Gates