June 14, 2019 • The Recorded Future Team
Ever heard the phrase, “everything old is new again?” That’s kind of how it is with security awareness.
A few years ago, you could hardly move in the security industry without bumping into a handful of experts claiming security awareness training (SAT) for end users was a waste of time. But now? Type “security awareness training” into Google and you’ll be inundated with paid ads and page after page of organic search results from security vendors.
So what gives? Is SAT just a fad that rears its head every few years before being cast back into the abyss? Or is there some genuine value in it for security-conscious organizations?
It’s a sad fact, but SAT programs are often dreaded by end users. The sessions are usually long and tedious, and users understandably view them as a distraction from their work.
Despite this, there are at least two fantastic reasons to maintain a strong SAT program:
1. People are the biggest threat to network security.
To an outsider, it’s easy to imagine that network breaches are the work of cutting-edge hacking groups. In reality, a huge proportion of breaches are initiated using very low-tech attack vectors like phishing and social engineering. By tricking an end user into revealing their login credentials or opening a malicious attachment, attackers can gain a foothold inside target networks that would otherwise be very difficult to breach.
And it’s not just targeted attacks you have to worry about. End users rarely take basic security precautions, and often act in extremely risky ways:
These behaviors can easily lead (or contribute) to serious network and data breaches. Security awareness training prepares users for common cyber threats and helps them understand the importance of basic security precautions.
2. Technical controls are never 100% effective.
In an ideal world, security programs would protect end users from all cyber threats and allow them to act rashly without endangering the organization. Sadly, we don’t live in an ideal world.
Which is not to say security technologies aren’t essential — of course they are, they just aren’t 100% effective.
No matter how much you spend on security, some malicious emails, files, websites, and even phone calls will always make it through. When this happens, the fate of the organization lies in the hands of the end user.
SAT programs can arm end users with the skills they need to mitigate common cyber threats. To help get you started, here are five tips for building an SAT program that can improve your organization’s risk profile.
One of the worst aspects of “old-school” SAT programs is the following format: Long, dry, infrequent training sessions, which are typically held in the hottest, dingiest room available. Extra marks if yours are held in the basement.
Even worse, however, is the content. SAT programs are often purely for compliance purposes, and designed only to fulfill the requirements of HIPAA, PCI DSS, or some other industry standard.
Not only does this format alienate end users, but it’s also useless from a learning perspective. Each session includes far more information than can be taken in at once, and sessions are too infrequent for any noticeable knowledge retention. Even if (by some miracle) users do remember something, it likely has no relevance to their day-to-day work.
The solution is simple: Replace traditional training with short, frequent, actionable sessions that cover common security threats. Online training sessions are ideal because they are minimally disruptive, but in-person training can work as long as it’s sufficiently short, frequent, and interesting.
Even if you make training sessions interesting, the content will be quickly forgotten if users aren’t given a chance to use what they learn. Skills testing is a simple way to improve retention of key security concepts and maximize the impact of your SAT program.
Requiring users to take short, regular online tests is the most obvious option, and it certainly has its merits — it’s convenient for users, easy for setup, and there are plenty of vendors offering ready-made testing platforms.
Perhaps even more valuable, however, are simulated attacks. These “in the wild” testing methods catch end users as they go about their normal daily business and attempt to determine how security-savvy they really are.
Phishing simulation programs are a common example of this approach. At regular intervals (usually monthly), end users are sent a realistic phishing email that contains a “malicious” link, attachment, or instruction. If a user identifies the email as malicious and reports it to their security team, they pass the simulation. If they are fooled into opening and actioning the email, they fail and are prompted to watch a short follow-up training video.
This approach — which can be adapted to any common security threat vector — is highly effective because it prompts users to be more security conscious on a day-to-day basis, rather than during unnatural test conditions.
Building the foundation of a strong SAT program is half the battle. The other half lies in tracking the success of your program and using the information you gather to continually refine and improve your methods.
Tracking SAT program outcomes isn’t always the easiest thing to do, but it can be done. The results of your earliest user tests are your baseline — any improvements from this point are evidence that your program is having a measurable impact on cyber risk. If you aren’t seeing improvements in one or more areas, you’ll need to tweak your training methods and content accordingly.
Asking for feedback from users is also essential. You won’t always like what you hear, but honest feedback is essential to ensure that you’re maximizing the quality of your training while minimizing the disruption to end users.
How can you make sure your program covers the most important real-world threats? By incorporating lessons learned from your threat intelligence program.
Threat intelligence helps organizations identify their top threats, many of which likely target end users. It only makes sense, then, to incorporate this intelligence into your training and testing regimen.
If phishing is identified as a major threat to your organization, it would be sensible to include genuine phishing samples. Equally, it might make sense to include real samples of malvertising, social-engineering campaigns, and malicious websites if those vectors are identified as a genuine threat.
There are many excellent reasons to build and maintain a strong SAT program, but training is not a panacea — you still have to invest heavily in the appropriate security controls, and take security out of the hands of end users wherever possible — they have day jobs to do, after all.
How do you know where to draw the line? Here’s a simple distinction you can make: If you can completely negate a security threat without the need for training, do it. If you can’t, do the best you can with security controls, and bridge the gap with SAT.
You can spend as much time as you like telling users not to leave company laptops on the train, or on the passenger seat of their car. They’ll still do it. It’s far better to simply encrypt all company devices as standard and accept that accidents happen.
Having a strong SAT program isn’t an excuse for poor security hygiene. Users should be given the minimum network access needed to perform their roles. Networks should be segmented to limit damage in the event of a breach. Simply put, you shouldn’t be asking your users to make up for the limitations of your security program. You should be equipping them to handle threats that can’t be mitigated using technology.
SAT isn’t something you invest in for a “quick win.” Yes, you probably will see good results early on in your program, but those improvements will quickly disappear if you don’t continue to follow through with strong training content and testing initiatives.
If you’re serious about minimizing cyber risk, SAT is something you’ll need to take seriously over a period of years. If you do this consistently — and continually refine your program by tracking outcomes and user feedback — SAT can have a significant impact on your organization’s level of cyber risk.
To learn more about how Recorded Future can help organizations better understand and prevent threats, request a personalized demo today.