Often, information security focuses on technical solutions to combat cyber threats. While technical controls are important, it is at least as important to remember the users in the fight against cyber criminals.

In my younger years, I spent some time in the U.S. Navy. I was an avionics technician, working on electronics for aircraft. I spent some time onboard the aircraft carrier USS America. Although I worked on aircraft electronics, on several occasions I was caught up in simulated drills fighting fires or other disasters onboard the ship. These happened without notice and without consideration about what your primary job on the ship was. If a fire broke out, it was everyone’s fight, not just certain members of the crew. The specialists would arrive when they could, but we all had to hold the line until they could get there, so everyone on the ship had at least some basic training in disaster recovery.

I treat information security the same way. Yes, there are dedicated security people in many organizations, but they cannot be everywhere at once. This is everyone’s fight and like on the ship, everybody should have some training in the basics. They don’t need to be security experts but they should be able to spot when something is not right and know how to react.

The knowledge of how to spot when something is wrong and how to react to it, happens through end-user security awareness training. Clicking on malicious links or responding to spoofed emails is a very effective tool of the bad guys. You have to train your users how to spot these types of attack through security awareness training because technology will not catch it all. Doing end-user security awareness training doesn’t have to be a difficult task, however there are some things that should be considered.

Can you get the message across effectively?

Let’s face it, many of us more technical people do not always relate well to the folks in marketing, accounting, etc. We think technically and sometimes this creates challenges when trying to communicate with non-technical people. Again, the goal is not to make them technical experts, but to spot when something is wrong and have some sort of action. I have been guilty of being way too technical myself and have found that involving a person or two from these groups in the development of these programs is very helpful, even if it’s just a quick review and feedback before deploying to the masses. If that’s not an option, consider looking to a third party for professionally made training.

Train everyone up front.

Everyone in the company is part of this battle, so they all need training. This includes the executives down to the receptionist. It doesn’t make much sense to train someone after the situation occurs, so it’s also vital that they be fully trained as soon as possible.

Do you measure the ongoing impact of the training?

I see where a lot of people do the training but fail to measure results. How do you measure the results and how do you keep the users thinking about security after the initial testing? You have to test them on a regular basis. The best way I have seen to do this is to phish your users with a non-malicious payload. This means phish them like the bad guys do on at least a monthly basis, but use any mistakes they make to reinforce the training you have provided. Create believable emails with links that will capture when a person clicks on them and use that measure how successful the phishing campaigns are, and therefore how successful the training is. If your click levels drop and/or users contact the experts when they see something that feels wrong, you are succeeding.  

If you follow these tips, you can get the whole crew onboard and dramatically improve your organizational security quickly. If you do not feel comfortable setting this up, or you just don’t have time to create the program yourself, look in to third-party offerings as they may be less expensive than you think, and can be very effective with little effort on your part.

Erich Kron
Erich Kron

Security Awareness Advocate at KnowBe4, is a veteran information security professional with over 18 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, MCITP, and ITIL v3 certifications, among others. He has managed the technical integration and functional testing of multi-million-dollar enterprise level technology projects within the Department of Defense, as well as large military security programs. Erich has worked with information security professionals around the world to provide the tools, training and educational opportunities to succeed in the InfoSec industry.