Lots of companies offer good Security Awareness Training, including KnowBe4, Wombat, eLearning, MediaPro, SANS, and Pivot Point Security (I saved the best for last :>)).
They all offer important modules that you should include in your training (phishing, social engineering, passwords, secure mobile working, etc.).
But none of these security awareness training providers offers what I think is the most important module that you need—a discussion of your security policy.
Why Training Needs to Be Customized to Your Security Policy
The training modules you are using are designed to help your team learn key information security concepts (“what” and “why”). They are intended to be used by thousands of organizations so, by definition, they are generalized and not directly applicable to yours. For example:
- They may refer to an incident response plan that you may or may not have, which should be referred to in the event that a ransomware message comes up on your screen.
- They may refer to the need to generate strong passwords and protect passwords at all times, based on rules that you may or may not have or enforce.
- They may refer to the importance of multi-factor authentication, which you may or may not have and may or may not properly use.
Applying Concepts to Your Organization
The module(s) you are missing would be designed to help your team apply key information security concepts within the context of your specific organization (“who,” “when” and “how”). They would be used by just your organization, and thus be highly specific to what your employees need to know. For example:
- They would instruct an end-user to send an email to email@example.com, call Sam at (609) 999-9999, and disconnect his or her Ethernet cable in accordance with your security policy.
- They would explain how to install and utilize your enterprise LastPass account to generate, store, and when required securely share accounts (including passwords).
- They would explain what Okta is, how to generate your account, and the specifics of using Okta on your personal mobile device, with Office 365, and with your Box.com account.
The Risks of Generalized Security Awareness Training
Without the specific “who,” when,” and “how” guidance:
- Your team knows what phishing is and why it is bad. But if they make a mistake (and we all know they will), the breach may not be detected and remediated quickly, yielding far greater impact.
- Your team knows (generally) what a strong password is and why it is important to use strong passwords and protect them. But they might not use LastPass and thus share a password in an unapproved manner that results in a compromise of their email account… and unfortunately, they are in Accounts Receivable.
- Your team knows what multifactor is but may continue to use a workaround that was left in place, reducing efficiency and increasing risk to your online document management system.
Assuming you agree that specific guidance is needed to augment generic security awareness training, your best bet is to develop some training that is specific to your data, your policies, your industry, your practices, and your culture. Ideally, that training could be inserted into your Security Awareness Training platform, which simplifies deployment, administration and record-keeping.
Such training could range from pretty basic to pretty sophisticated:
- Develop a PowerPoint deck and deploy that with a quiz.
- Develop a PowerPoint deck and convert it to a screencast with someone presenting the content and perhaps annotating key points. Develop and deploy a quiz with it.
- Develop a PowerPoint deck and convert it to a screencast/video with pictures of your presenter using a tool like Loom or Camtasia.
- Develop a PowerPoint deck and present it to a group of your employees. Record it with a simple webcam. Develop and deploy it with a quiz.
- Work with your Security Awareness vendor or an outsourced videographer to develop a more formal presentation. Develop and deploy a quiz with it.
While you may get bonus points for pretty, it doesn’t need to be. The important thing is to develop something specific to your organization. Without it, your team only has 40% of the answer.
We are working hard with our clients to augment their “what” and “why” training to include “who,” “when” and “how”—because giving your employees the information they need turns them from your greatest threat surface to your greatest threat detection and response mechanism.