Using innovative strategies, some companies may be erasing employee security training’s reputation for ineffectiveness.
Security training “got a bad rap, because it was so bad,” says Steve Conrad, the founder and managing director of MediaPro, a Bothell, Washington-based security awareness training company with such clients as Microsoft, Yahoo and Adobe.
Old training methods “usually consisted of slide presentations—or their online equivalent—that were super dull and could last an hour or two,” he says. “Employees were expected to sit through this, either at their desks or in a group, and come away with knowledge gained. And that was it. Awareness training was once and done, and it just didn’t work.”
Stu Sjouwerman, founder and CEO of KnowBe4, a security awareness training company founded in 2010 and based in Clearwater, Florida, says “old-school security training” often stems from “classical break-room sessions where employees are kept awake with coffee and doughnuts and exposed to death by PowerPoint.”
Those days are over, according to officials of the two companies.
MediaPro—which was founded in 1992 and has focused on security awareness training programs as a product since 2003—says it’s an e-learning company that bases its training on proven adult learning principles, providing educational content in a way that learners remember.
“This concept extends beyond the training courses themselves,” Conrad says, “to our focus on consistent reinforcement of key learning principles through extracurricular content such as games, videos and posters, as well as phishing simulation exercises.”
Phishing exercises help change behavior
KnowBe4, Sjouwerman says, sends frequent simulated phishing attacks to train employees “to stay on their toes.”
Both companies believe that employees’ most common security mistake is falling for an email phishing scam.
“Bad guys have come up with all sorts of creative ways to convince employees to click on a link or send sensitive information via a spoofed (sender) address,” he says.
Clicking on a link in a suspicious email and opening an infected attachment can be avoided, Sjouwerman says, “by recognizing red flags.” Red flags include receiving an email from a suspicious domain or address you don’t ordinarily communicate with, or one sent at an unusual time such as 3 a.m.
No company is immune to such scams, Conrad says, “but simulated phishing campaigns aimed at an organization’s employees teamed with comprehensive cybersecurity education can go a long way toward changing risky employee behavior.”
Technical safeguards against phishing scams exist, “but no organization should rely on those alone,” he says. “Social engineering—the basis of phishing scams—is such an effective way into the sensitive data of an organization, because it completely bypasses these technical safeguards and goes after what is most companies’ weakest link: the human.”
Workers’ weak spot
Why do employees engage in risky behaviors when cybersecurity threats are so abundant?
“It’s likely a combination of being busy and being exposed to so many technological sources of distraction on a daily basis,” Conrad says.
Sjouwerman mentions another reason. “No one ever took the time to enlighten them about the clear and present danger that risky behavior can really cause, especially in an office environment.”
A 2016 study by PhishMe, a Virginia-based phishing threat management company, found that 91 percent of cyber attacks and the resulting data breach begin with a spear phishing email.
Another study done last year by LastPass, a Virginia-based password management service, found that 91 percent of respondents know it’s risky to reuse passwords for multiple online sites, but 61 percent do it anyway. The study also found that the No. 1 reason respondents changed their password was because they forgot it, and only 29 percent changed it for security reasons.
Employees’ risky behaviors have triggered an increasing number of companies to provide better security training.
“I think this is a really exciting time in the market: Huge numbers of companies are committing to doing real education, and we’re seeing exciting innovations in the variety of content that is available,” Conrad says. “I like to think that the age of boring people about security is over, and we’re entering an era where people are going to be motivated and engaged by education around these issues.”
Repetition is key
Employee training, Conrad says, needs to be more frequent than an annual affair.
“Learners need to hear something more than once for it to stick—just ask any ad executive or marketing jingle writer,” he says. “Think about what makes up an advertising campaign: a series of messages that share a single idea or theme, transmitted via different media channels on a regular basis, for an extended period of time—with the singular goal of influencing consumer behavior.
“A great security awareness initiative should look like a great advertising campaign. Repeated, consistent messages delivered throughout the month, quarter or year, whatever cadence is appropriate for a given organization.”