1st and 10: The X’s and O’s of Effective Security Awareness Training
It’s often been said that the best defense is a good offense — and with football season in full swing here in the U.S., the phrase is getting more than its fair share of air time. While this expression might seem to be at odds with the defense-in-depth approach to information security, it’s worth examining how a proactive security awareness training program can supplement the technical safeguards that are currently in place to protect your networks, data, and organizational assets from attack.
Consider how the following four tips, borrowed from the gridiron playbook, could create a stronger security stance within your organization:
Use Simulated Attacks (the Naked Bootleg of Cybersecurity Assessments)
Like the naked bootleg, simulated phishing attacks utilize misdirection to get results. The reality is that your opponents — hackers, social engineers, and cybercriminals — are using deception techniques to penetrate your defenses. By being proactive and taking a page from their books, you can identify your weaknesses and work to correct them.
Schedule Study Time to Learn Your Opponents’ Tricks
Now-retired quarterback Peyton Manning was famous for his preparation and the time he spent studying his opponents; he once told USA Today, “The cerebral part of the game has always been something where I had to get my edge.”
Just as Manning’s preparedness gave him an advantage over others who were faster and stronger than he was, cybersecurity education can give your end users an edge over highly skilled and sophisticated cybercriminals. It’s much easier to defend against an attack if you have a clear understanding of the methods that might be used and have the opportunity to practice appropriate countermeasures.
Our recent Beyond the Phish™ Report compiles data from nearly 20 million questions asked and answered about cybersecurity threats, identifying the most concerning knowledge gaps in multiple industries. Get in the know about what your end users don’t know.
Encourage Top-Down Participation (the Spread Offense of Cybersecurity Training)
In football, the spread offense is designed to increase efficiency by “spreading” defenders across the field to, in theory, make penetration and tackling more difficult. You can borrow this approach by developing an organization-wide security awareness and training program, one that delivers education to all employees rather than a select few. By increasing your coverage and extending knowledge up and down the corporate ladder, you help to build a culture of security that is both broad and deep. The more people you have participating in your efforts, the more effective those efforts are likely to be.
Don’t Be Afraid to Call an Audible
Sometimes a quarterback decides to call an audible at the line of scrimmage, effectively changing the game plan to respond to what he believes to be an imminent threat. This is something all security awareness training program administrators should confidently be able to do as well. A SaaS-based platform with a variety of awareness and training components, effective measurement tools, and flexible management is a great way to give yourself the agility to address emerging issues and security concerns that present themselves in a constantly evolving marketplace.