How to build a successful security awareness training programme

How to build a successful security awareness training programme

Neglected security awareness allows the weaknesses and threats to your organisation to remain undetected. Businesses must re-evaluate their approach to security by creating targeted, seamless training programmes to help prevent security breaches. In this interview, Andrew Rose, Resident CISO, EMEA at Proofpoint, highlights the current challenges experienced by CISOs and the sophisticated attacks they are facing, and how an effective training programme can prevent security breaches.

Research seems to suggest human error is the biggest cause of security breaches. Can you tell us more about that?

Andrew Rose, Resident CISO, EMEA at Proofpoint

The Verizon Data Breach Report suggested that 83% of security breaches had a human cause. The World Economic Forum produced a report earlier in the year which said that 95% of security breaches had a human cause.

It used to be that the data centre or the head office was at the core of your network and if you wanted to get access to the sensitive data, you’d come into the office and badger a way in. Now, everyone works from everywhere, using resources that aren’t just their own, like Microsoft, Google and Dropbox, and their data is all over the place. Now, the central core of an organisation is the user who has access to whatever they need, wherever and whenever they want, making the user even more tempting to the criminals. By stealing a user’s credentials, suddenly they have access to everything. That’s the reason the attackers focus on the human aspect of security, because staff are the central access point, and they are capable of making errors.

What level of sophistication is being observed when it comes to social engineering attacks today?

Attackers are not just sending the classic ‘inheritance’ email to us anymore. They are using behavioural science techniques to trigger emotional responses from users. We’ve seen some examples of attackers using an email stating that ‘your partner is seeking divorce and they’ve been too embarrassed to speak to you about it. Please click on this link to see the reasons for the divorce’. You can imagine this would be an incredibly emotional trigger, and it would be hard to resist clicking through to see the information. We have also seen attacks on military and governmental organisations using the topical subject of Ukrainian refugees. Attackers will revise and change their content depending on what’s current.

How high on the agenda is employee education and awareness for today’s CISOs and why?

Our recent Voice of the CISO Survey went out to 1,400 CISOs globally and asked what they perceive in terms of risks and what their priorities are in terms of controls. The top significant risk they wanted to prioritise was insider threats, including negligent users, malicious users, and compromised users. In terms of control measures, information protection, security awareness, education and behaviour change are on their list of priorities for the next two years. These results show that CISOs recognise the gravity of the challenge at hand.

However, only 60% of CISOs think that employees understand their role in protecting the whole organisation.  This is likely because awareness is still generally delivered by relatively junior staff within these enterprises and not given sufficient priority or resource. Although human error accounts for the majority of risks, only about 2% of the budget is given to awareness training. This highlights that although security awareness remains high on CISOs agenda, they still haven’t fully committed the right resources to deliver on that topic yet.

What are some of the existing challenges that CISOs and their teams experience when it comes to planning and executing an effective security awareness training programme?

Firstly, a lot of CISOs have grown up through a technical career path, so they’re much more comfortable dealing with technology, firewalls and intrusion detection systems, and getting dragged in front of the board or trying to educate people is a bit alien to them. However, it’s something they’re embracing more and more. The first challenge is their perception of security awareness as a topic, and how it works. Many think ‘well it’s called security awareness; I will make people aware of security and then they will do things differently’ but that’s just not how it works. You can’t simply stack awareness higher and higher, expecting a sudden behavioural change as that’s relying on a connection between education and behaviour that honestly doesn’t exist. Security leaders need to understand how awareness, education and behaviour change work.

I think a second challenge is getting the airtime. Many departments in large enterprises are trying to push their messages, whether it’s about compliance, money laundering, new processes and systems being rolled out, or even this week’s canteen special. Numerous messages are being pushed forward and security can struggle for airtime and get lost in the noise.

The third challenge, referred to already, is the lack of time and resources put into awareness. If an organisation can balance the time and resources spent and are willing to invest in creating compelling content that people love to consume, such as gamification, the results can be effective.

Why is a borderless training platform so crucial given today’s distributed – and often hybrid – workforce?

You can’t keep training bound to the office environment anymore as many training techniques we’ve used in the past, such as posters and digital signage in the office, become almost irrelevant to the new working model.

You need to think about more contextually appropriate content that will work in different environments. For example, what would work in a home environment? What would people have on their desks? What could act as a prompt in their home environments or working on the road? You need to remember that just a single-point deliverable doesn’t work. People forget to take steps by prioritising efficiency over security. The border of just having one message pushed across the company is irrelevant without long-term reminders and impact. You need to push different messages, at different times, through different channels so that people absorb the messages. Simply create an environment where the user is continually reminded of the right actions.

How important is it that the training approach is specifically tailored to individuals based on their geography, job role, or even specific users and user profiles?

It must be relevant to you in your role. If you can teach with a specific perspective in mind, so that it relates to a role or location, then the individual will have a framework or context with which to associate the message and they’ll retain it better. You must try and figure out how you can tune the message to the person you’re speaking to, to make it relevant to them for an effective result.

How important is a customised, tailored approach to awareness training to enable real behavioural change?

Lots of organisations will start out doing some phishing testing, receiving results of a 30% click rate –so one in three people will click on a phish and it is possible to get that down to 1 or 2%, but to achieve this you need to focus on approaches beyond awareness. Smoking is a great example, there is 100% awareness that it’s dangerous and yet still people smoke. So, awareness does not equal behaviour; they are not the same thing.

You need to consider other elements influencing behaviour such as motivation. I commonly tell people to stop calling it a security awareness programme. Even if you just do that internally within your team.  Calling it ‘security awareness’ leads you to make the wrong conclusions about what you need to do to achieve your goal. If you call it a ‘security behaviour change’ or ‘security culture change’ programme, you widen your perspective and will think about the different aspects that need to be brought into your portfolio of tools and techniques to actually change behaviour or change the culture, and not just build more awareness.

Why is it important that a training programme is flexible, easy to use and adaptable to changing business needs?

The only thing the CISO can rely on is change. The threat landscape is going to change, the business will change, the budget will change, the staff around you will change and your priorities will change.

You need to build flexible programmes that you can adapt because when your organisation acquires in a new country, in a new language, you need to be able to apply the same consistent education in that new language and culture as you have for the rest of the organisation.

You need to have the right messages for different roles and you need to have the flexibility to change your tooling, messaging –and content to address the right threats.

Browse our latest issue

Intelligent CIO Europe

View Magazine Archive