Most of today’s media coverage, internal security budgets, and venture capital dollars are focused on new and exciting technologies, such as next-generation endpoint solutions, user behavior analytics, and others. However, one equally important area that often receives little attention is security education and awareness for company employees.
The majority of successful attacks target end users in one form or another. Typically, attackers lure a company’s employees into either unknowingly divulging company secrets or passwords or trick them into clicking links or visiting websites that install malware on their computers. Worst case scenario, this happens to a user with domain administrator privileges and your entire network becomes a playground for the attacker.
Another common cause of reported breaches is lost or stolen devices that were not physically secured or properly encrypted. These devices, especially removable media, often have sensitive data that is unprotected with encryption, and then becomes stolen or lost. In my experience as a CISO, when such incidents occur, employees will often argue that they were not aware of the corporate policy to protect such data or felt ill-equipped to use the technology made available to them.
An important component to prevent such situations from happening is to properly educate company employees. However, most corporate security education and awareness programs are antiquated, stale, boring, and lack tailored content for specific roles within the organization. Company employees often run kicking and screaming when such training is mandated, and executives either request exemptions because of their busy schedules or force their assistants to complete the training for them. After sitting through many such training programs, I really can’t blame them.
Even after almost weekly public cases of CEO wire fraud and other such scams, corporate and government executives often personally avoid such training and/or provide lackluster support for such initiatives companywide. I believe this is because they do not find the content relevant or important enough compared to everything else they and their employees must do. And I believe this is exactly why security professionals and cybersecurity solution providers must “up our game” in this area.
Based on my experience, I believe that a robust and effective security education and awareness program must contain the following key elements:
1) For all new employees
• On day one, all employees are required to complete a short, tailored and position-relevant security awareness training. Key to this training is that all new employees walk away understanding how to get security help if needed and know when and how to report a security incident.
- New employees are provided with access to online resources such as information security policies and how-to guides for key security technologies and scenarios, e.g. how do I send a secure email, how do I handle PII, etc.
- For all new employees, I recommend phishing them within their first month on the job and providing JIT training if they fail the test. Rinse and repeat to ensure the training was effective.
- Employees should be rewarded for identifying security vulnerabilities and reporting them to security. I would suggest a “catch of the month” program where the employee who reported the most impactful vulnerability for that month receives a $100 prepaid gift card or something similar.
2) For Company Executives
- Companies should develop and deliver a tailored security education program for executives. The training should be custom to the individual executive and should be based on the most likely digital threats to the executive and their family. This type of program should be coordinated with other physical security programs if such exists, as online and physical threats to executives are often linked. I recommend one-on-one training with the executive once per year, as the most effective mechanism for this audience.
3) For Traveling Employees
- For companies with employees traveling overseas, provide specific just-in-time (JIT) training based on the countries being visited. Focus on the key tasks they need to perform while traveling, such as accessing email and sending documents, and what to do in case of a suspected breach or an attempted seizure of technology resources. Equally important is to ensure the employee understands any actions they need to take when returning from certain, high risk countries.
4) For IT Employees:
- Provide targeted training to information technology staff. Ensure developers know how to use secure coding best practices and secure and handle source code and other intellectual property. Make sure that all system administrators are well versed in the dangers of using domain administrator accounts to perform high risk functions such as browsing the Internet or reading email. Also, ensure that system administrators are trained on the corporate policy regarding the safe handling of such accounts. I’ve attached a few helpful resources below on this specific topic.
5) For all employees:
- Security teams should consider their end users as one of their most important and valuable detection sensors and work to maintain the health (“knowledge”) of these sensors just like their IDS/IPS devices and endpoint sensors. This means providing end users with continual training and education, especially related to new threats.
- Consider flash cyber threat advisories to potentially targeted end users. I’ve also used short (less than one minute) video updates on important topics with great success. Video updates are simply short videos that give end users quick, actionable direction on security topics in a fun and interactive format.
- For existing employees, perform simulating phishing for a percentage of the user base each month until all employees have been tested. Similar to new employees, provide JIT training for those failing the test, and rinse and repeat to ensure training effectiveness.
- Finally, gamify your security awareness training and make it mobile friendly. Keep the content fresh and engaging for all generations of your workforce. Also, make the training relevant to both the employee’s work and home life, including being safe on social media. You know you got it right when your employees ask if they can include their family and friends in the training!
Resources for protecting domain admin credentials:
Credential Theft and How to Secure Credentials
Securing privileged access: Preventing and detecting attacks