On June 22nd, Terranova Security hosted the 2021 edition of the Security Awareness Virtual Summit. Sponsored by Microsoft, the virtual event boasted sessions featuring speakers from some of the cyber security industry’s most recognized entities, including the National Cyber Security Alliance (NCSA) and Gartner.
The event’s lineup also featured a panel discussion featuring security awareness experts from various industries, an interactive audience poll, and a demo of the latest addition to Terranova Security’s unique, industry-leading content: Serious Game modules.
All the sessions supported and advanced the event’s central theme: How does your security awareness training program stack up?
It’s a question being asked by more and more organizations as they adjust to new cyber security norms in the wake of widespread digital transformation. And, in an age where digital interconnectivity has fundamentally changed how many organizations operate, human-centric cyber security solutions have come into sharper focus.
This blog post will cover the seven most important takeaways from this year’s Security Awareness Virtual Summit. It will also provide additional insight into how your organization can assess your security awareness training program and get the most out of your campaigns.
Click the link in the banner to watch the entire 2021 Security Awareness Virtual Summit on-demand.
1. COVID-19 Continues to Disrupt the Cyber Security Space
One of the recurring themes of the Virtual Summit, in particular during the panel discussion, was how the worldwide COVID-19 pandemic changed the frequency, intensity, and intricacy of how organizations phished their users, regardless of whether they were working from home.
“People [were] going through a really hard time,” Aleigha Roberts, Senior Security Engineer at Delta Airlines, commented.
And, while the frequency of phishing simulations and other security awareness training initiatives ranged from quarterly to monthly, all panelists agreed that an empathetic approach that took end users’ emotional uncertainty into account was a major consideration.
2. Remote Work is Changing the Fabric of Cyber Security
On a related note, one of the toughest post-COVID-19 issues staring many organizations and their cyber security teams in the face is the continued rise of remote work. With departments and processes more distributed than ever – for some organizations, across multiple countries and time zones – even the best technical infrastructures continue to feel the strain of increased risk.
As remote work adoption continues to skyrocket, “everyone should be engaged, including board members,” said Brandon Koeller, Principal Program Manager Lead, Office 365 Security at Microsoft. You don’t want to intimidate your users, but you do want them to engage fully with the material, and that process starts with your upper management.
As several Virtual Summit speakers pointed out, organizations may need to rethink and reshape their existing security awareness training initiatives to give their employees the tools they need to detect and avoid cyber threats, especially those that explicitly target remote workers, without scaring them to the extent that they’re afraid to open work-related apps or documents.
3. Building Diverse, Inclusive Security Awareness Training is So Important
To fully empower your employees and, over time, transform them into cyber heroes, building a diverse, inclusive training environment is so important. As author and Terranova Security CEO Lise Lapointe explained in her Virtual Summit-opening session, several factors must be considered when building genuinely inclusive awareness training.
Some of those include:
- Compliance with online accessibility standards so all employees can benefit from training courses
- Mobile responsive training modules that allow users to complete security awareness training on their chosen device(s)
- Multilingual content in a variety of formats that take different learning strengths and preferences into account.
These are just a few of the factors contributing to a diverse, inclusive security awareness training experience. More importantly, implementing these measures is no longer a luxury – it’s every organization’s duty as a conscientious corporate citizen.
4. The Key to Empowering the Global Digital Society: People, People, People
The power of easily accessible and understood cyber security knowledge for end users was echoed in the Security Awareness Virtual Summit’s keynote, delivered by NCSA CEO and Executive Director, Kelvin Coleman.
During his presentation titled “Protecting the 5th Domain: Effecting and Measuring Awareness in Cybersecurity,” Kelvin traced the roots of social engineering scams as far back as the late-1940s. He also demonstrated how the solution to securing sensitive information is “decidedly not very technical” and lies in educating your people first.
“In today’s world, we’re looking at 20 billion connected devices. In the next five years, we’re looking at 60 billion connected devices, which is a 300% increase,” Kelvin explained. Organizations and their leaders must empower their employees to adapt to this near-future reality adequately and “drastically reduce” the human risk factor in cyber security.
One of the best ways to jumpstart this process is to take advantage of free online resources that are easy to access and share on any device. Check out NCSA’s resource library and the Cyber Security Hub on the Terranova Security website.
5. The Ingredients for Phishing Simulation Success: People, Processes, and Phishing Training Quality
As Brandon detailed during his session, successful phishing training must leverage all three to help end users consistently identify phishing attempts and take the correct action in each scenario.
First, all stakeholders must be aligned on your security awareness training program’s goals, execution strategy, and trade-offs upfront. Clear, concise communication is paramount, as is exposing employees to the kind of cyber threats they may encounter in their day-to-day lives.
“Authenticity matters,” Brandon said, saying that specific, complex payloads – even ones that spoof popular brands – “provide the best learning experience” for everyone participating in training. “Some users need more training, others need more practice, and you need to take that into consideration as well,” he added. Another major takeaway from the session was that deploying phishing training in smaller, staggered batches instead of a “big bang” send to all an organization’s users for optimal results.
6. Securing C-Suite or Executive Buy-In is Crucial
Designing and planning for security awareness training success are exciting but, the reality is, if there’s little to no executive-level buy-in on the project, it may be doomed to fail. As Gartner’s William Candrick observed, it’s a crucial aspect that must be anticipated and addressed.
“The goal isn’t getting one-time support,” he said. “It’s about acquiring ongoing support [and] diligence.” This ensures you can build a program that grows alongside your users and their knowledge acquisition, not an “ad-hoc compliance-based” collection of disjointed initiatives.
Some helpful tips William provided include:
- Connect security awareness to business benefits to get consistent financial support. For example, demonstrate how click rates translate into reduced costs and improved employee productivity
- Shift leadership perceptions by debunking misconceptions about cyber security as a prevention strategy. Instead, reposition your initiatives as a way to detect threats and strengthen data protection proactively
- Mature your security awareness training efforts by transforming a collection of ad-hoc activities into a fully defined program. Rooting the program’s elements in specific behavior change goals is an essential part of this process
Establishing a vision statement, developing a multi-channel engagement strategy, and defining outcome-driven metrics are also important ways to structure and standardize your awareness program. As William put it, “we can manage risk. We can’t prevent it. As with all risk, we can’t achieve perfection.”
7. Security Awareness Training Also Needs to Consider Ethical Implications
Though you ideally want to test your users with the most realistic phishing simulations and training content possible, there is also a wide range of ethical implications to consider.
Edouard Zazempa, Deputy Head of Governance and Programs at Capgemini, surmised that, while his team strives to deploy training initiatives that are “as close as possible to an attack,” it’s not always going to be the most effective option. “Leaders can connect with their HR department to ask, ‘Is this acceptable in the context of a training initiative?’” It’s important to note that what’s deemed acceptable can also differ from country to country too. As Tracy Held, Managing Director of Security Reporting and Training for Omnicom Group added, “if [a simulation] makes me queasy, I probably shouldn’t do it.” The panel agreed that changing up the content, context, and training format (including gamified learning) ensures that “something [that will] resonate with everyone.”Aleigha pointed out that security awareness leaders could emphasize that it’s a safe space to learn by taking the term “training” out of the equation entirely.
As a result, when information is presented to them in phishing training, the precautions help create a more impactful educational moment.
Building Your Best Security Awareness Training Program
As the Security Awareness Virtual Summit demonstrated, constructing a robust and diverse security awareness training program has never been more crucial for business success.
With an emphasis on inclusivity, ethical content and, above all else, an empathetic human approach, organizations can maximize their cyber security ROI and, at the same time, minimize the associated human risk factor. Transforming your training program into a well-oiled machine that prioritizes behavior change facilitates executive buy-in as well.
"You want to build those communities of trust now,” Kelvin said during his keynote, “so that when something does happen, you'll be better prepared to respond.”