Interactive approaches to security awareness training pay for themselves
- 11 February, 2013 19:12
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
New sophisticated attacks designed to take advantage of security-challenged end users are evolving so rapidly that technology solutions, security policies and procedures alone cannot protect critical company assets and data. Recent research from Deloitte revealed that 70% of the companies surveyed indicated that employee mistakes were a major threat, with lack of security awareness being cited as a major vulnerability.
While attacks on employee lapses in judgment are immune to even the best network defense systems, companies can limit the risk by fostering a people-centric security culture that evolves as the threat landscape changes. To be successful, training programs must be designed to consistently inform employees about the latest security threats, how they can prevent successful attacks, and why their role within security is vital to corporate health.
[ QUIZ: How well do you know the insider threat? ]
This cannot be obtained through a once-a-year event featuring boring and antiquated classroom or video training sessions. Modifying employee behavior that often favors convenience and efficiency at the expense of security is a significant challenge that involves much more than an annual fire-hose treatment for awareness.
Chris Christiansen, program vice president for IDC's Security Products and Services Group, notes that threats are evolving at a rapid pace as employee adoption of mobile computing and social networking has skyrocketed. He adds that, "The old once-a-year 'check box' approach to security training cannot keep pace. It is time for employees to understand the importance of security policies and learn how to put them into practice."
While gaining employee participation in security awareness programs may seem like an insurmountable obstacle, new breeds of interactive security assessment and awareness training software can significantly increase employee participation, deliver measurable improvement in security knowledge and behaviors and often lower overall costs.
Security officers that retire their old PowerPoint training presentation in favor of new security assessment and training software are seeing positive results -- including up to a 70% reduction in susceptibility to employee-targeted attacks, which translates to fewer breaches and lower remediation costs.
If you are ready to give people-centric security a chance, here are some key education tactics that help support a successful security awareness program:
* Prioritize and focus -- Successful security training is a process, not a one-time event. Security training solutions that include analytics help organizations assess human risk factors across multiple attack vectors, including email, mobile devices, social networking and passwords. This allows security officers to create a customized training program that addresses the most prevalent or risky employee behaviors first. The best results are achieved by setting realistic goals to modify two or three risky security behaviors at a time. As progress is made, more risks can be addressed with the addition of new training modules.
* Make it digestible -- Effective security training is about quality, not quantity. Training is better received when it is woven into daily work routine -- using learning science principles to build incremental success using teachable moments. In just 10 minutes, interactive software training sessions can measurably reduce employee susceptibility to attacks. With administrative tools that allow security managers to schedule and deploy training modules or mock cyberattacks, security training can be presented in the context that a person will most likely be attacked. When an employee falls for an attack, a quick on-the-spot training session can help him/her better understand the risks and learn how to avoid similar attacks in the future.
* Keep them coming back for more -- As the mobile app explosion demonstrates, people love games and engaging formats. The best security training solutions use this fact to their advantage. With interactive elements, simulated environments, games featuring memorable characters and engaging scenarios, employees actually look forward to training. This approach allows employees to self-pace learning, practice concepts in multiple contexts and master skills through repetition. When employees respond (such as identifying a phishing scheme, creating a password or other essential cybersecurity behaviors) the solution provides feedback whether the answer was right or wrong. Over time, active involvement in the learning process helps employees feel more invested, which ultimately translates to better understanding and lower risk.
* Measure the results -- Security training platforms collect user data to help training administrators monitor completion of training assignments, assess individual employee performance and measure improvement, in terms of peoples' behaviors and awareness, across the entire organization. Armed with in-depth training intelligence and easy-to-read reports, security officers can track compliance, measure the effectiveness of their security awareness programs and demonstrate positive return on investments.
* Continue to adapt -- As long as security breaches yield financial or political gains for perpetrators, attacks will continue to proliferate. Security awareness training programs must be designed to address the current spectrum of email, mobile device, social networking and password related attacks, as well as keep pace with evolving threats. Cloud-based training platforms that feature a wide array of modules and offer new releases in response to shifting attack trends can help security officers create flexible and sustainable security awareness programs.
While no risk factor can ever be entirely eliminated, companies that implement new interactive approaches to security awareness training are finding that the payout is worth the investment. As employees learn how to identify and report attacks, they become invaluable to a company's security posture.
Wombat Security Technologies, a spinout from Carnegie Mellon University, helps organizations combat cybersecurity threats with uniquely effective software-based training solutions. Wombat offers fully automated, highly scalable software-based training solutions, built on learning science principles. For more information visit www.wombatsecurity.com or email info@wombatsecurity.com.
Read more about wide area network in Network World's Wide Area Network section.