Four Steps to Long-Term Success with Security Awareness Training

August 18, 2014
Gretel Egan

In checking out the website of the Ponemon Institute — an independent agency that conducts research on privacy, data protection, and information security policies — I didn’t need to dig any deeper than the home page to uncover research findings that highlight the need for effective security awareness training:

  • 51% of CEOs surveyed say their company experiences cyber attacks hourly or daily
  • 60% of employees circumvent security features on their mobile devices
  • 80% of CEOs surveyed believe good data protection increases brand or marketplace image

Here’s another point that requires no research to confirm: Each employee in your organization is a potential penetration point for your network, your systems, and your data. Whether a breach is physical or electronic, accidental or intentional, major or minor…it’s still a breach. Sure, you could fire all your employees. But why not change behaviors instead?

shutterstock_166234769

Assess, Train, Measure, Repeat

At Wombat, we focus on awareness and training, using methodologies based on research at Carnegie Mellon University and proven through our customers’ success rates. That and is a critical distinction; we don’t just make employees aware that threats exist, we teach them how to recognize threats and act accordingly to keep data and systems secure.

Our four-step approach has proven to be an effective way to help employees retain the information they’re taught, which means they adopt best practices and change behaviors over the long term. Here’s how we do it:

1. Assess Susceptibility

Simulated attacks and knowledge assessments are great tools for helping you determine your organization’s level of risk. But this step should be about more than penetration testing; it should also be about motivation and education. Take this opportunity to give employees insights into any missteps and guidance about how they can make better choices in the future.   

This in-the-moment training is critical to long-term retention. As Art Gilliland, General Manager of Enterprise Security Products at HP, told Kathryn Dill of Forbes Magazine, taking advantage of a teachable moment directly following an action is more effective than a general conversation later. “Educate at that moment,” said Gilliland. “It can be private, but it’s very powerful at the time of failure.”

2. Provide In-Depth Training

Using in-depth education as a follow-on to targeted teachable moments gives your staff a wider understanding of the potential risks faced in the workplace (and beyond). It’s during this phase that employees get a sense of how important their actions are to the safety and security of your organization’s people, places, and things. And it’s critical to think beyond phishing attacks. Though this is a significant threat to data and network security, email safety is just the tip of the security awareness and training iceberg.

3. Measure

Following in-depth training, it’s important to measure effectiveness. Analysis of knowledge levels and susceptibility helps you understand where your organization’s weaknesses are and which employees are likely to benefit from additional training. And by measuring, you’ll also have a cleared path forward.

4. Repeat

Physical and cybersecurity threats come in many forms: phishing, smishing (malicious texts), and vishing (phony phone calls); social engineering scams; and lost and stolen devices are just some of the issues organizations are facing on a daily (even hourly) basis.

Hackers and scammers are relentless, and their approaches are bound to become more varied and more sophisticated. This is why it’s critical to keep reinforcing best practices and teaching good behaviors. A security awareness and training program that gives you the flexibility to deliver training on a bi-monthly basis is key to realizing the best possible results for your organization.  

 

Read our case study to find out how a college in the northeastern U.S. used our tools to reduce successful phishing attacks by 90%.