2024 Training Schedule Available
Every year, billions are being spent globally on security awareness training. Yet, close to 60% of all the breaches we see are directly related to an employee taking an insecure action that leads to that breach. (ie. Clicking a link, giving out credentials, allowing 2FA Bypass) One report said that in the next two years companies will be spending $10 Billion (yes with a B) on security awareness training per year globally.
I am not sure about you, but if I am spending $10 on something I want it to be effective, let alone $10 billon! This is yet another area where spending more does not mean we are seeing the results we want.
The other day I started to think about this problem, and I came up with a small list of reasons why I have seen security awareness training just be ineffective and even a waste of time and money.
Let’s go through each one together.
How many of you by a show of hands have seen one of these phrases in your security awareness training
You get the gist. Ok you can put your hands down, I get it, you have seen them all. Maybe some of you are even asking, yah, so what?
Tell me in one sentence, how do I tell Nancy from HR what a bad link is? How can I describe to Julio from accounting what a dangerous email looks like? How can I tell Ruth from the call center what a suspicious call sounds like? And how do I tell Ryan from the C-level what “all suspicious activity” looks like? You can’t, and that is the problem when your training is vague.
One of my star employees is in the hospital right now. It is a pretty serious matter, and she needed some urgent care. After surgery she was in recovery, and she called me to tell me this story. Her nurse came in to change an IV and take care of her. She rolled the laptop up to look at her charts and started to ask my employee how she felt. When all of a sudden on the screen came up her “Mandatory Security Training”.
WOW – are you kidding? While she was in the room caring for a patient, not during down time or office time, her mandatory training came up. What did this nurse do? She moved the timer to the end, clicked “next” “next” “next” “submit,” and BAM! “Thank you for completing your security training.”
Not only did this hospital force training at literally the worst time on earth, but then they allowed the nurse to bypass without any effort. Not only was this training inconvenient, but it was just plain lazily instituted.
You might be thinking, “Well there will never be a convenient time to roll out training!” Sure, there is never the perfect time. But should it be rolled out 30 mins before the weekend break? How about during patient care? Or when the customer pulls up to your teller window? Or when you have a manufacturing deadline due right before a holiday break? A little critical thinking can help alleviate this problem.
Ok, granted – security awareness training is not a blockbuster movie or hit TV show. And yes, you are never going to please everyone. But I have witnessed security awareness training that almost makes fun of the attacks your people are experiencing. I have seen training that uses scenarios that are not relatable to the team or your business. I have seen training that is so outdated the technology in the video doesn’t even exist today. And yes, I have seen training that doesn’t even use the industry standard terms because someone in the company doesn’t “like them”.
When my kids were young, I read this psychology book on parenting, and it made a point that stuck with me to this day. Using funny, code words with my kids for blankets, milk, food, the bathroom, etc. may seem cute when they are small. Then one day they go to school and ask the teacher, “I drank too much moomoo sitting on my beebeeba and now I have to go tinkleytink in the poopa.” Let’s bring that same lesson to our companies. Imagine that you don’t like the word “vishing,” which is the word found in the oxford dictionary for phone phishing. So, you want to call it “Telephone Attacker Phishing.” Now, your people go on the internet to look up information about this, what will they find? Not much.
Basing your training on realistic attacks and correct terminology while also keeping it short and sweet will make the maximum effective change.
Okay, so you are reading this and saying, “well great, this is basically my whole set up, now what?” Here are a few things you can do to fix the problem or at least start heading in the right direction.
You can’t just do the opposite of everything above and find success. You can’t tell Nancy, or Julio or Ruth to start doing look ups and domain scans. Making it too complicated, too hardcore, or too accommodating, won’t help you or your people remain secure. Think about how you can implement these ideas:
This is not an exhaustive list, but one that I hope will spark some conversation and discussion to help you improve your security awareness.
Here at Social-Engineer, LLC we only use fully trained and certified humans (yep, no robo dialers, silly templates, or canned scripts) to conduct all our real-world training. We work with each client to ensure that we are using scenarios that will hit home and affect your people the right way. We ensure the messaging is clear about reporting. And most of all, we follow the motto, “Leave them feeling better for having met you.” This is implemented by looking for ways to reward those who take the right action and training those who do not.
To see the effect of how this type of model works, reach out and talk to us. Or download one of our case studies that outlines some of the amazing success we have had in these programs with our clients.
Till next time, stay safe.
Chris Hadnagy
Image:
Photo by Magnet.me on Unsplash
In the rapidly evolving digital landscape, no entity is immune to the pervasive threat of cyberattacks. The security breach at MGM Resorts highlights the vulnerability of even massive organizations. As
SMiShing Attacks in the News In February 2024, 19.2 billion spam texts bombarded U.S citizens according to a recent report. As annoying as spam texts are, they are not always
