There is a reason phishing scams remain popular. Despite the fact most knowledge workers know the risks of clicking on unknown attachments or links, a significant number of them continue to do it. A recent Harris Interactive survey found that 19 percent of U.S. employees working in an office said they had opened an email at work that they suspected could be a scam – and those were just the ones willing to admit it. Chances are, the actual number is higher.
Despite this, many security professionals focus on technology and treat user training as an afterthought.
"Most people buy first and train later, but that's the wrong approach," said Bill Gardner, an assistant professor who teaches Digital Forensics and Information Assurance at Marshall University and president and principal security consultant of Blackrock Consulting. "A next generation firewall is not going to protect you if a bad guy can get somebody inside to do something for them."
Gardner and Valerie Thomas, a senior security consultant for Securicon, walked attendees at the recent Derbycon conference through how to create an effective information security awareness program. Not surprisingly, much of their advice focused on making security training pervasive and highly accessible to users.
Here are some tips from their presentation:
Get management buy-in. With management, stress the dollars and cents of good security. Emphasize the productivity gains attained by reducing security-related downtime as well as the financial losses that can result from data breaches. As a member of the Derbycon audience pointed out, "You can add at least three zeroes to any financial settlement resulting from a data breach if you can’t show that you had a training program."
Target your security training. Should you offer the same training to the sales people as you do to mailroom workers? No, said Gardner, noting that training should focus on the specific vulnerabilities faced by different users. Sales people, for example, should get more information on mobile security as they are more likely than other employees to use mobile devices and apps for their jobs. And don't forget to train the IT department, he said.
Make it pervasive. Security awareness training shouldn’t be a "once and it's done" exercise. Training should be offered annually, at a minimum, and preferably every quarter. The best approach is to make training continual, Gardner said. So, for example, set up users' desktops so they see a different security message every week. "You want to build a culture around awareness," he said.
Presentation is everything. Thomas described an experience in which the management of a client company was flabbergasted at the standing-room-only crowd Thomas attracted to a security awareness presentation. It wasn't magic, she said. Instead of sending out the usual notice asking employees to attend a mandatory training session, she invited them to a presentation titled "How Hackers Steal Your Personal Information." While she discussed the same security principles always presented during training, she packaged them so they were more interesting and relevant to users. "Marketing people are great at packaging information. Talk to them for tips," she suggested.
Explain why security policies are needed. Even with stories of high-profile data breaches landing in the headlines of mainstream media publications, users may not feel their own data is at risk. You need to illustrate, preferably through examples targeted to the audience, how hackers can use their data and what it could end up costing the company.
Show users specific examples of security no-nos. Instead of just telling users not to click on suspicious attachments or links, show them what "suspicious" looks like. Show slides and "highlight the bad stuff," Thomas said. A video is even better than slides. Again, target these presentations to your users. Gardner has highlighted the dangers of data leakage through metadata for audiences of attorneys, for example, cautioning them to be careful when redlining or tracking changes on documents that could go to opposing counsel.
Make it easy for users to comply with security policies. Thomas advocated the use of password safes, software that automatically generates and stores encrypted passwords. That way, she said, "Users don't need to keep thinking of good passwords or even think about passwords at all." Gardner, on the other hand, does not like password safes. Instead, he advised working with users by "not coming up with policies so complex they can't remember their passwords" and offering a self-service option so they can re-set their own passwords if they do forget them. He even tells users it's OK to write down a password – as long as they keep it in their wallets.
Maintain the right attitude. "You are further educating educated people" who unlike you are not experts in security, Gardner said. "Don’t call them stupid."
Use the right metrics to gauge effectiveness of training. Track help desk tickets for an idea of how well training is working, suggested Gardner. You can expect to see an increase in users reporting concerns about suspicious links, for example. Thomas sends emails with suspicious links to test users' resistance to social engineering scams, both before and after covering the topic in training. The number of users clicking on such links should decline following training. Even better, you may see an increase in users reporting their concerns to security personnel.
Ann All is the editor of eSecurity Planet and Enterprise Apps Today. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.