Security awareness training: Bridging the technology and people divide
The threat landscape has shifted dramatically in the past few years. Attackers are focusing on people, not infrastructure.
According to the 2019 Verizon Data Breach Investigations Report, 94% of all breaches are from attacks targeting people. As a result, IT and InfoSec departments have had to rethink their entire security posture.
So if people are now at the center of almost every sophisticated attack and subsequent breach, how do we tackle the people problem? Here’s a look at three areas to consider.
1. Understand the difference between technical controls and people controls
Controls like email or web security are extremely important for reducing people-centric risk because they stop attacks before they get to end users. InfoSec and IT departments are used to implementing these types of technical controls.
But when an attack does get through, the end user is your last line of defense. This is where a security awareness program comes in handy. By providing your end users with a certain level of training, you improve the organization’s last line of defense and greatly reduce exposure.
Here are some other differences between technical and people controls to consider.
Technical controls are controls, people have instincts
Every day people are faced with hundreds of emails, thousands of ads, and countless other messages they have to process quickly. With technical controls, you tell them what to allow and what to block once, and they can do it.
Humans, however, require a different tack. You need to give them ongoing reinforcement to ensure they have the right instincts to process all of these messages.
Technical controls don’t have feelings or external factors, people do
A large portion of workers might be having a bad day at work, a personal matter at home, or some other externality impacting their state of mind. A significant portion of your workforce isn’t engaged and may even be actively looking for another job. Technical controls might have outages or errors, but they don’t have bad days or think about quitting their job.
Technical controls can be perfect, people can’t be
You can perfect a workflow or a piece of software to do what you need 100% of the time. But no matter how many times you train or remind users to be wary of threats, you’ll never have a “perfect” security awareness score. A 0% click rate is largely impossible. Users will never have 100% understanding of every cybersecurity threat. You’ll always have gaps, and that’s OK.
2. Get strategic and take advantage of the human condition
Running a security awareness program requires a different mindset. You can’t expect to do a presentation once a year and have everyone immediately consume, understand, and change their behavior based on one activity. Security awareness programs are an ongoing process.
Here are some key strategies for successful security awareness.
Use multiple channels with a tailored message
Your organization likely has a unique culture and messaging that will resonate with your users. Rather than using an “off-the-shelf” solution, theme your program and customize some of the materials. This is a great way to improve relevance.
Repeat your message in multiple channels (training, in-person events, collateral around the office, etc.). This is critical to keeping security awareness top of mind while also gaining mind share.
Make it personal
Aside from the core topics you have to cover in your program, make sure you answer each employee who wants to know “What’s in it for me?”
Remind them that security awareness skills can protect users against identity theft, online account compromise, and even fraudulent wire transfers. Weaving these benefits into your program sends a clear message that it’s also about protecting them, not just your organization.
Empathize and connect with end users
Your end users are your customers in security awareness, so make it about them.
Ask them what cybersecurity topics they’d like to learn about and solicit their feedback about your initiatives. Show them you care about the time you’re spending with them on security awareness. Balance the carrot and stick with your approach and build every bridge as far as you can to help users learn.
We’ve worked with customers where the CISO sits down with users who continuously fall for simulated phishing attacks or fail to complete training. They do this not to punish them, but to get employee feedback and emphasize the importance of their security awareness program.
3. Turn your people into members of the IT security team
If you’ve trained your end users to properly spot phishing attacks, your last line of defense suddenly becomes a huge benefit to your organization. These users essentially become part of the IT security team, flipping the script on the “people problem” narrative that’s plagued IT and InfoSec for years.
As an administrator, you can reward those users who continuously report malicious emails. The result: Security initiatives go from a tedious process to a fun contest that helps reduce your overall people-centric risk.
About the author
Mike Bailey is the Senior Product Marketing Manager for Proofpoint. He has worked in the B2B software technology sector for over eight years and has been in cybersecurity for more than five years. When he joined Proofpoint in 2014 as the lone Digital Marketer, he worked to successfully drive growth to make Proofpoint Security Awareness Training a market leader.