Three Medal-Worthy Security Awareness Training Maneuvers
Last updated: February 15, 2018
With the 2018 Winter Olympics rolling in Pyeongchang, it’s natural to imagine what it would be like to stand on a medal podium, representing your country and your sport and taking your place in the history books. Though every few years I can almost convince myself that I’ve still got Olympic potential in me (Curling? Archery? Canoe slalom?), I’ve recognized that — like most of us in the cybersecurity space — worldwide illumination of my talents is not likely to happen anytime soon.
But that doesn’t mean that those of us in the daily grind aren’t striving for personal bests in our own arenas. At Wombat, we consistently — and effectively — find opportunities to innovate and show leadership. And we always keep our eye on the prize: namely, our customers’ success. So in the spirit of “Faster – Higher – Stronger,” we wanted to share three key maneuvers that can help you elevate your security awareness training program and put your end users’ newfound knowledge on a pedestal.
Bronze: Think Beyond the Phish
No argument from us: phishing (in its many forms) is the threat that keeps on threatening. As pioneers in the use of simulated phishing attacks, we strongly recommend our customers make anti-phishing education the foundation of their security awareness and training programs.
However, we also recommend that our customers think beyond the phish to assess and educate their end users about the many other cybersecurity threats that are prevalent (and emerging) in today’s marketplace. Risky behaviors like lax data protections, password reuse, oversharing on social media, and improper use of WiFi are all dangers in their own right — and can even exacerbate the already crippling side effects related to successful phishing attacks.
The reality is this: simulated phishing attacks, on their own, will not teach your users how to confidently navigate the virtual and physical threats that are creating risk in your business.
Silver: Get Interactive
Take a moment to think: How do great athletes become great? Sure, their coaches’ guidance plays a role. But in addition to being told what to do and how to do it, all athletes need to experience…to feel…to act for themselves. They need to learn by doing.
Interactive education is not exclusive to physical pursuits — quite the contrary. In fact, it’s likely you’ve mastered your business skillset the same way. The concept of hands-on training is one of the research-proven Learning Science Principles that are the foundation of our educational approach. We’ve recognized that, whether you’re 5 or 50, and whether you’re being taught at a university or in the workplace, an interactive experience is one that is more likely to stay with you.
It’s important that you recognize the difference between raising awareness (which happens when you tell your users what to do) and providing education (which teaches your users how to act on the things they’ve been told about). Both are important — but it’s the and in security awareness and training that drives true behavior change.
Gold: Keep Practicing
As our CTO, Trevor Hawthorn, is fond of saying, you don’t run around the block and call that marathon training. The same principle applies with cybersecurity education: you can’t schedule cybersecurity sessions once a year or send a simulated attack or two and think you’ll be able to effectively manage end-user risk. You wouldn’t run your firewall, antivirus, or spam filter part time. Why do that with your security awareness and training program?
Our unique Continuous Training Methodology set a trend in the industry and has consistently generated double-digit reductions in click rates and malware infections for our customers, with one organization achieving a 90% decline in successful external phishing attacks. Though other providers may try to imitate our approach, they will never have the amount of practice we’ve had at identifying and responding to our customers’ needs and delivering effective, behavior-changing security awareness and training products.
As you consider your goals for your organization’s overall security posture, remember that measurable results are best achieved through thoughtful planning. And as far as end users go, practice makes perfect. That’s the surest way to climb to the top of the podium and garner results that make you the envy of other infosec professionals who make end-user education a part-time pursuit.