(9 min read)
From security awareness training essentials to deployment strategies, here are some key takeaways.
On May 5th, Terranova Security hosted the Security Awareness Virtual Summit 2020 edition. Sponsored by Microsoft, it featured informative presentations on a variety of security awareness topics, a panel discussion with industry experts, and even an in-depth security awareness training demo.
The event came at a time when cyber security knowledge had become a major priority for many entrepreneurs and business professionals. Social distancing measures related to the COVID-19 pandemic have put the security awareness acumen of employees under the microscope, especially for executives who had previously treated this kind of training as a “nice-to-have” instead of a “must-have.”
From organizational awareness essentials to training deployment methods, the event’s lineup of cyber security experts had plenty to teach everyone who attended.
Here are some of the biggest takeaways:
1. COVID-19 Has Been a Security Awareness Eye-Opener
Before the COVID-19 pandemic, working from home was a luxury enjoyed by only a fraction of the North American workforce. Now, things are much different.
A new study by Global Workplace Analytics estimates that at least 25% of professionals in the U.S. could be working remotely multiple days a week as far out as 2021. This means that individual cyber security awareness levels will continue to come under more scrutiny than ever before.
Brian Reed, Senior Director and Analyst at Gartner, urged Virtual Summit attendees not to “waste a crisis” when it comes to adopting cyber security training measures. “We’ve been forced to educate people who may not be as familiar with working from home,” he added.
COVID-19 caught many organizations by surprise and injected varying degrees of chaos as they adapted cyber security norms for remote work environments. Reed hoped that businesses of all sizes will learn from the experience and put more effort into building an atmosphere of shared security awareness accountability.
For more insights on working remotely, check out the Cyber Security Tips and Advice for Remote Workers blog post.
2. The Key to Securing Security Awareness Training Buy-In from Executives
Attaining that sense of shared culpability is about more than one person or group’s understanding of the importance of cyber security – an organization’s executives must buy into this concept as well.
However, this task can be easier said than done. It requires strong justification and negotiation skills to demonstrates to executives how detailed security awareness training across all departments can positively impact their bottom line, instead of simply eating away at potentially limited resources.
Reed recommended taking the following steps to gain support for a cyber security training program:
- Make clear connections between security requirements and business objectives. Use clear, concise messaging to highlight the inherent value of security awareness while also actively listening to the concerns of others.
- Provide specific examples of security awareness leading to better business outcomes. These can include insight gleaned from internal reporting or major reports on industry findings and current events.
- Use data to present security in a risk management light, rather than threat-centric. Numbers linked directly to employee and/or financial importance will add context to your pitch and help you strengthen your internal support.
Reed also explained that it’s important to “speak the language of the business” when communicating the benefits of security awareness training. Bridging that gap in mutual understanding is fundamental to a successful program.
3. Simulated Phishing Attacks are Essential Awareness Tools
Most cyber security initiatives focus mostly on technological solutions to digital threats. However, according to a 2019 Gartner Report, unsecure employee behavior remains a “top cause” of cyber-breaches and regulatory violations.
Organizations that already boast security awareness training without any simulation component are still vulnerable to phishing attempts. As per our 2019 Gone Phishing Tournament Report, 11% of all participants clicked on the phishing link, while 29% of employees who had already been exposed to some kind of security training submitted their credentials after clicking on the link.
Therefore, phishing simulations are essential security awareness training tools for any organization.
Microsoft’s Principal Program Manager Lead, Brandon Koeller, said during his presentation that simulated phishing attacks help to contextualize the training for a user and, in so doing, deepen their knowledge of potential vulnerabilities.
“Attackers don’t have a comfort zone,” Koeller explained, adding that they look for “exploitable motivations” that create opportunities to strike. He advocates for phishing simulation training that isn’t easy on your users because it helps them adopt the “attacker” mindset instead of the “defender” mindset, which is limited by an inability to cover all possible weak points.
Get additional insight from the Gone Phishing Benchmark Global Tournament report!
4. Implementing Security Awareness Means Measuring Improvement
Koeller also highlighted the importance of measuring improvement throughout the cyber security training process. More aggressive training methods only work if an organization adopts increased scrutiny over testing results to leverage all possible learning opportunities.
Koeller demonstrated how greater vigilance, combined with more persuasive phishing lures, result not only in higher changes in behavior but also less regression over time. In other words, embedded phishing simulations within security awareness training can improve a user’s resilience to potential attacks.
Recent data indicates that more than 80% of reported cyber security incidents are related to phishing attacks. Therefore, with so many threats bombarding the average business at any given time, continuous security awareness improvement needs to be made a top priority.
5. The Secret to Increasing Security Awareness Training Participation
Ultimately, your cyber security training program will only be as effective as your participation rate allows. It’s critical that organizations properly incentivize employees across all departments and, in some cases, time zones to take part in the program.
How do you build that kind of emotional connection? Gartner’s Brian Reed broke down the most effective way to boost security training participation within any business – one that begins and ends with resonant storytelling:
- Subtly pivot to benefit-centric messaging. For example, instead of focusing purely on numbers like security spending and incident reporting, highlight the benefits of implementing a training program and how it will help reinforce improved habits that will strengthen your organization.
- Fine-tune the behavior narrative within your story. You can accomplish this by dividing this arc into the “from” (how you plan to build on the past), the “to” (the ideal future end state), and the “because” (the value of embarking on the journey in the first place).
- Adopt the “share-listen-adapt” model. This iterative approach to communication includes listening to user feedback, checking up on group understanding at different intervals, deploy peer advocates, acknowledge insights publicly and, above all else, make the experience fun.
All these strategic elements contribute to your team’s concept of the journey that underpins security awareness training. In Reed’s eyes, it’s not the destination that matters so much as how you get there.
6. Security Awareness Training Can Help You Minimize Costly Vulnerabilities
A common barrier to security awareness training deployment is the cost of getting the program off the ground. However, as our CISO Theo Zafirakos noted during his presentation, implementing a cyber security training program plays a major role in minimizing costly vulnerabilities.
Zafirakos explained that those exposures don’t just translate into direct costs like money spent to repair servers or other hardware. There are also many potential indirect costs to consider, such as loss of productivity (including salaries) and other expenses or profit losses related to an extended period of downtime.
Ensuring that executives and managers understand the possible pitfalls that come with not implementing a training program links back to a clear demonstration of benefits through concise, impactful storytelling. It could literally save your company thousands – or even millions – of dollars.
7. Security Awareness Training Must be Equal Parts Conceptual and Practical
During our cyber security panel discussion, an important distinction was made between security awareness training programs that work versus those that don’t. The secret: balance the conceptual with the practical.
Our panel of experts – Microsoft Cyber security Education Program Managers Blythe Price and Erin Csonaki, Calian’s Cyber Resilience Office Director Bill Dunnion, and Terranova Security CEO and author Lise Lapointe – all agreed that security awareness learning needs to be contextual and immediate.
“Don’t train on things that will get filtered out,” said Dunnion, explaining that, without that practical element to the training program, there’s no real-world aspect to the content. According to Lapointe, conceptual training alone “doesn’t stick in your mind” once you’re outside of the office environment.
The gamification of your security awareness training program can also enhance the immediacy of the learning process and, in the minds of the panel, help the information stick after that initial exposure. “Hopefully, the next time, they won’t fall for the phish,” Lapointe added.
8. Security Awareness Skill-Building Isn’t the Same as Basic Compliance
Another interesting topic of discussion that came up multiple times during the Virtual Summit was the concept of making security awareness training mandatory or optional. Regardless of your organization’s inclination, our panel of experts presented a more nuanced distinction: skill-building versus compliance.
As Csonaki explained, simply ticking boxes off a security awareness list to meet minimum industry requirements won’t have any meaningful, lasting impact on your employees. She also said that required training should always be chopped up into consumable pieces, a shift that she’s seen pay off in a big way across Microsoft’s various departments of users.
That said, setting skill-building goals requires focusing your security awareness objectives and supporting them with the appropriate KPIs. Lapointe recommended that an organization should identify what they want to achieve based on the most urgent risks at hand, and then set KPIs to cover all relevant topics or training modules.
Your security awareness training program must also play into the culture of the company. Price advised trying to secure employee buy-in with making the training requirements feel like a chore. How did Microsoft accomplish this? “We made ours funny,” she said, which resulted in plenty of positive feedback on how enjoyable the process was for its users.
9. Leverage Technology to Change Cyber security Behavior
Changing the way people behave in their personal and professional digital environments demands a flexible, carefully planned approach. Beyond situational behavior norms, like how one may conduct themselves in a café versus a museum, Gartner’s Reed reminded attendees that deeper-rooted habits must be considered as well.
Those “personal brand” components include:
- Intimate personal behavior
- Core identity
- Survival reactions
Altering those behaviors, especially when they’ve become bad habits, won’t happen overnight. However, if security awareness training is framed as a conduit for improving an individual’s “personal brand” instead of forcing them to behave differently, any change will be embraced more easily.
Once that happens, the organizational benefits of those new behavioral habits will only become more powerful.
Our inaugural Virtual Summit provided no shortage of eye-opening insights for all our attendees.
From lessons brought about by COVID-19 remote work realities to helpful tips for how to gain security awareness training buy-in from executives and front-line employees alike, our cyber security experts helped transmit knowledge that can help make it easier for any organization to train their next wave of cyber heroes.
SECURITY AWARENESS VIRTUAL SUMMIT 2020
For additional insight from our lineup of cyber security experts, watch the on-demand virtual summit.