Last week, we hosted our Wombat Wisdom Security Awareness and Training Conference in Pittsburgh, and those three days were filled with excellent presentations, discussions, and ideas shared by our customers and prospects. For those who weren't able to attend, you missed a great opportunity to network and collaborate with like-minded peers. While we would have loved to have you join us, all is not lost — following are some of the key tips and insights we heard during the conference (many of which were shared by multiple attendees).
Change Your Definition of Failure
This was a key message we heard last week, and it falls in line with our belief that the carrot is better than the stick. One of our presenters encouraged attendees to change the perception of what failure means, not only to them but to their end users. Rather than calling a click a "failure," he suggested thinking of it as a "response." He stressed that clicks are teachable moments; they teach you something about your vulnerabilities and they teach users about the presence of threats in the workplace. In attacks from the wild, there is no positive educational value or in-the-moment advice following a click. Our customer noted that he prefers to take those responses and use them as building blocks for a more secure end-user base.
In another presentation, a security awareness training program administrator suggested that organizations plan for failure and plan for success because, as he said, there will be both. He advised to have a soft hand with those end users who fall for attacks, but to reward those who are performing well. "A click is not your win," he stated. "Your win is measurable progress."
Make It Personal
We heard this from several infosec professionals who are running successful programs. "Home is where the heart is," said one employee training manager. "Spouses, kids, family, and friends are the things we care most about. If you can make it resonate there, those behaviors will carry over."
Her co-administrator echoed those sentiments and revealed some of the techniques they have used in order to help end users connect the dots between dangerous behaviors and personal data loss. He advised asking employees how they would feel if, at home, they were hit with a ransomware attack and lost photos of important family moments (a newborn baby, for example) that were not backed up and couldn't be recovered. He said that because these types of examples are immediately relatable to end users, they are immediately more interested in learning how to prevent such things from happening in their lives.
Learn more about how we help our customers deliver effective cybersecurity education.
Think Like a Marketer
Several presenters touched on the idea of making cybersecurity training programs and awareness activities more interesting with the use of internal video ads, humorous posters, giveaways, and more. They mentioned the importance of getting people engaged, and they suggesting tapping into marketing and communications resources, as that is their wheelhouse.
By using engaging pieces of awareness content, you can draw end users in and start people talking (and thinking). Then other related activities don't feel like so much of a chore. As we've noted in the past, security awareness and training programs do not have to be a snooze fest.
Know Your Audience
This is, in some ways, an extension of the last two points, but it goes beyond thinking of your end users. You should certainly make efforts to resonate with your employees, but you also need to speak the language of the other stakeholders in your organization. When presenting to your executive team, focus on the types of information that will be meaningful to them (hint: think business impact). And think about the clock and the calendar; you're less likely to have success when teams are in end-of-quarter crunch, for example, or if they are trying to wrap up for the day.
As one of our speakers noted, "The presentation of the data is as important as the data itself. If you want to be successful, you need to think about having your message presented by the right person at the right time."
Be on the Lookout for Social Engineering
This piece of advice is based on something we ourselves experienced in our preparations for the start of the Wombat Wisdom Conference, and it's something we felt strongly about sharing with you. We actually had an imposter register for our event. This was someone affiliated with a competitor, and she used a false name and even tried to mask her ties with this company by deleting information from social media profiles.
Thankfully, we were on the lookout for something like this, and we caught it well in advance of the start of our event. But it's worth noting the lengths this individual went to in an effort to gain inside access to the customers and prospects who would be attending our event, as well as the information and advice our presenters would be sharing.
Though the idea of imposters, cyber espionage, and "infiltrators" might seem far-fetched from where you're sitting, it's critical that you be on alert for the potential machinations of competitors and cyber criminals, particularly if you are hosting or sharing IP with customers and prospects in a semi-public venue.
