How do I select a security awareness solution for my business?

“Great security awareness training, that is part of a healthy cyber security culture and that is aimed at encouraging positive security behaviours, is essential. The problem is that awareness-raising training has a history of being dry, dull, technically-focused and ineffective,” Dr. Jessica Barker, Co-CEO of Cygenta, told us in a recent interview.

In order to select the right security awareness solution for your business, you need to think about a number of factors. We’ve talked to several industry professionals to get their insight on the topic.

David Lannin, CTO, Sapphire

select security awareness solutionEngaging positively with your audience is critical in the success of any security awareness solution. Every individual is different, each having their preferences of learning style, content and pace. The solution you consider should be able to adapt to this, having rich and varied content suited to the right users and groups across your business.

Do not lose sight at how diverse an audience can be and where their areas of expertise lie. Educating a purchasing team on handling financial information online is appropriate, but a generic warning about password usage may be less useful to the security teams.

Test your employee’s awareness and measure their improvement. This provides a full HR/audit trail, and publishing these results over time keeps staff engaged, showing changes in how effective security awareness training has been. Identifying individuals that are more phish-prone helps focus targeted training for those individuals – a weak link in your cyber defenses. Tailored training based on understanding ensures that those who demonstrate an understanding earlier in the process can be exempt from further training.

Ensure that the results are tangible. Be able to demonstrate the security awareness solution is effective and improving the overall security posture of the business.

Lise Lapointe, CEO, Terranova Security

select security awareness solutionThe right security awareness training solution will drive long-term behavioral change among employees to create a cultural of security awareness.

There are five key components that must be in place to accomplish this:

  • High quality content: Security training cannot effectively be approached as a “one-size-fits-all”. Different format and length in content promotes better participation and retention rates.
  • Intuitive phishing simulator: Out-of-the-box phishing scenarios that reflect real-life cyber threats integrated with training for feedback.
  • Multilingual content and platform: Out-of-the-box language support for global security awareness programs.
  • Communication and reinforcement materials: Large libraries of predesigned content and templates for internal campaign promotion and content reinforcement including videos, posters and newsletters.
  • Consultative approach: Security training that this is tied to the businesses needs with offerings including: CISO coaching, managed services and content customization.

By choosing the right security awareness training solution, businesses can develop customized, multi-language campaigns that are engaging and informative – and most importantly, successful.

Michael Madon, SVP & GM Security Awareness and Threat Intelligence Products, Mimecast

select mobile security solutionHuman error poses one of the biggest risks to any organization. Yet, many organizations are conducting cyber awareness training quarterly or even less frequent – which is simply not enough. Mimecast recently surveyed 1,025 IT decision makers and found that 21% of respondents offer training on a monthly basis – a timeframe experts consider the gold standard.

The goal of any security awareness program should be to change employee’s perception of cybersecurity – helping them understand that it is not an inconvenience, but something that can help them be more effective in their jobs. But, effectively educating employees on email and web security cannot be achieved through one-off training sessions or siloed events that involve non-interactive materials like sterile corporate videos and mass-produced pamphlets.

When identifying a security awareness solution, organizations should look for the following:

  • Humor – Not many people absorb information when it’s given in a format that is stale and boring. Humor captures people’s attention and is the best way to engage. Look for a solution that includes humor to communicate important information in a highly relatable way.
  • Short and frequent content – Offering a regular cadence of concise trainings is a great way to ingrain cybersecurity best practices into employees’ day-to-day activities. Training sessions should be delivered monthly and be only 5 minutes or less.
  • Risk scoring – Risk scoring capabilities can help identify employees who are most at risk for attack and can help focus increased time and resources on specific individuals.

Lance Spitzner, Certified Instructor, SANS Institute

select security awareness solutionSecurity awareness is ultimately a control to help ensure your organization is not only compliant, but you are effectively managing and measuring your human risk. As such, you need a solution that was developed by experts who understand risk and know both what risks and which behaviors to focus on.

These decisions should be driven by data based on today’s latest threats, technologies and incident drivers. If you are focusing on the wrong behaviors, not only are you wasting your organizations time but could be actually increasing the risk to your organization, such as requiring people to regularly change their passwords.

Other key factors include how often the content is updated and how people will relate to it. As technology, threats and organizations change so do risks. Your training should reflect that change. The other element is ensuring the training is a good fit for your organization and your culture. For example, if you have an outgoing organization that loves humor, then use humorous training. But if you have a large, diverse or more conservative organization, you will want training that adapts well to that environment.

Inge Wetzer, Social Psychologist Cybersecurity & Compliance, Secura

select security awareness solutionFirst of all; go one step back! Ask yourself the question: what exactly do you want to achieve? Looking for an awareness solution implies that your goal would be that all your employees are aware of the security risks and that they know what they should do. Your focus is: knowledge. However, a gap exists between knowing what you should do and actual behavior. Many people are aware that they should actually lock their computer screens, but many people still don’t behave accordingly.

Would you be happy if all employees in your organization pass an awareness test? What does this tell you about their actual behavior? So, you may not be looking for a security awareness solution, but for a security behavior solution?

Psychology teaches us that behavior is defined by more than knowledge: our actions are also driven by personal factors such as our motivation and past experience. In addition, organizational factors such as context and culture also define behavior. For effective behavioral change, all aspects of behavior should be addressed. Moreover, the attention to these factors should be recurrent to keep the topic top of mind. So, look for a continuous program that focuses on safe behavior as end goal by paying attention to its three determinants: knowledge, personal factors and organizational factors.

How can we harness human bias to have a more positive impact on cybersecurity awareness?

Dr. Jessica Barker, Co-CEO of Cygenta, follows her passion of positively influencing cybersecurity awareness, behaviours and culture in organisations around the world.

Dr. Barker will be speaking about the psychology of fear and cybersecurity at RSA Conference 2020, and in this interview she discusses the human nature of cybersecurity.

positive impact cybersecurity awareness

What are some of the most important things you’ve learned over time when it comes to security culture? How important is it and why?

A positive and robust security culture is absolutely fundamental to the overall security maturity of an organisation. An organisation’s culture sets the tone for what is normal and accepted; it’s not what is written in a policy, it is what influences how people actually behave. From a security point of view, this is absolutely crucial and extremely influential.

Different cultures will influence whether people do what they should when it comes to security, for example a culture in which leadership demonstrate a strong commitment to, and respect for, security is much more likely to result in positive security behaviours than one in which leadership are dismissive of security.

The phenomenon of social proof, in which people model their behaviour on how others act (especially those in positions of authority or those they particularly admire), means that the role of leadership in security culture is vital. People in an organisation look to those in leadership to see how they should behave.

If leaders are seen to follow security policies and good practices, such as wearing identity badges and challenging tailgating, then others throughout the organisation are more likely to follow suit. A culture of fear in an organisation is very destructive. If people feel they are going to be blamed for clicking a link in an email they then suspect was phishing, for example, they are less likely to report such incidents when they happen. A culture of fear does not reduce the number of incidents, it just drives them underground and reduces the likelihood of people reporting those incidents.

When someone mentions security awareness training, there’s always a big split – some say it’s essential, others claim it’s a waste of money. What’s your take on this? Does it depend on the type of training?

Great security awareness training, that is part of a healthy cyber security culture and that is aimed at encouraging positive security behaviours, is essential. The problem is that awareness-raising training has a history of being dry, dull, technically-focused and ineffective. That is not engaging and not only will such awareness-raising fail to make a positive difference, it is actually likely to have a negative impact. Too often training has been designed by people with technical expertise who may know what they want to say, but not how best to deliver it or indeed what messaging is going to be most relevant and effective for the people they are communicating with.

For awareness training to be effective, it needs to be relevant to the people it is aimed at, it needs to be engaging, interesting and it needs to feel useful. Talking with people about security in their personal lives, for example, can be really powerful because it is something that everyone can relate to and when people engage with the content in relation to their home lives, they absorb it in terms of their working lives, too.

Awareness-raising that feels like an experience, for example a table top exercise or a live demonstration of a hack, is memorable and fun – people go away from experiences telling their colleagues, friends and family about them, which has a positive ripple effect. Using emotion in a constructive way is really powerful, for example by telling stories. I say “constructive” because it is most important that awareness-raising is empowering, and this is something that is overlooked way too often.

Eliciting fear has been one of the most used marketing strategies in the cybersecurity industry since its inception. Can scaring employees actually make an organization more secure?

Using fear, uncertainty and doubt (FUD) is generally a classic example of awareness-raising that engages with emotion in a destructive way. When we deliver cyber security awareness, we are often talking about the threats, which inevitably will scare a lot of people, so we need to be really responsible in how we do that.

Unfortunately, people often use fear as a blunt instrument, without an understanding of the affect it has. For years, sociologists and psychologists have been studying fear, and what happens when we talk about something scary as a means of promoting behavioural change. My keynote at RSA Conference 2020 will cover some of this work and the lessons we can learn in cyber security.

What’s your take on how many CISOs prefer to spend money on technology instead of educating employees. Can they really solve their security problems with tech purchases?

It’s been encouraging to see, in recent years, that more and more CISOs and security teams understand that security can’t be solved with technology alone. I understand the tendency to want to “fix” security with a piece of shiny kit, because if that worked it would be simple and very comforting. Unfortunately, security is not simply about technology, it’s about how people engage with technology, and for this we need to focus on people at least as much as we focus on tech.

What are the biggest misconceptions about security culture and what can security leaders do in order to make sure their employees are more security conscious?

One of the biggest misconceptions about security culture is the belief that it can’t be measured and tracked, in the way that other elements of security are. This is something I have been working on for my whole career in security: there are very effective ways to measure security culture and there are lots of metrics you can use to check progress. More so, it’s really important that leaders put these in place. When awareness-raising is not part of a strategy and there are no metrics to see if it is having the desired impact, it is usually not very effective. How can you know if something is working if you don’t have any ways of measuring success?