With phishing and business email compromise-style attacks the primary methods used by cybercriminals to gain access to an organization, it is imperative that employees be taught what to look out for when going through their email. So SC Media asked some top cybersecurity executives for their best training tips.
1. Frequent Testing
Stu Sjouwerman, CEO, KnowBe4
Testing users on a frequent basis to see who falls for a simulated phish should be part of any effective security awareness training program. Users won't remember the bulk of their annual training and after time, old habits come back into play. Training users and frequently phishing them will keep them on their toes with security top of mind. It is fun to do for IT, helps users to determine if the email is expected, relevant and current with the additional benefit it also helps employees to stay safe on the internet at the house.
2. The best defense is a good offense
Steve Martino, Vice President, Chief Information Security Officer, Security and Trust Organization, Cisco
Even those who should know better can get caught clicking on a malicious link or document that looks legitimate. A program that educates employees to recognize and report phishing emails. To test their phishing IQs, we send them phishing emails; if someone takes the “bait,” they receive in-the-moment training on how to avoid being tricked. We test them again within 30 days to reinforce. Since starting the program, we have reduced our click risk rate by over 60 percent.
3. Ditch the Conference Room Training; Treat Employees like Fighter Pilots
Aaron Higbee, Chief Technology Officer and Co-Founder at PhishMe.
Employees learn best from real-life interaction, similar to how fighter pilots train using extremely realistic simulation engines, so skip the lecture and mandatory videos and see how an employee responds to a simulated threat. If they fail a simulated attack, chances are they won't want to make the same mistake next time. According to the Herman Miller Learning Pyramid, learning by doing yields a 75% knowledge retention rate, compared to 5% for those who rely on lectures. Experience is key!
4. Make it fun
Larry Hurtado, CEO, Digital Defense
As security training can be dry and boring, Digital Defense got creative and developed SecurED in collaboration with award winning Hollywood comedy writers. The combination of serious and important guidance with fun, engaging characters achieves the “stickiness factor” required to achieve real results.
5. Pop Quiz
Matthew Gardiner, cybersecurity strategist at Mimecast
An organization's security posture is only as strong as its weakest link and its weakest link is most often its people. People can be tricked into giving attackers their credentials, clicking malicious links, opening malware laden attachments, or doing something they shouldn't with the organization's data or money. An entire company from the c-suite to the front desk needs to be educated and closely involved in promoting and protecting the security of the business. Given this, phishing training needs to be conducted both scheduled and ad hoc to keep the safety of the business front-and-center with their people.
Technology not Training
Sam Curry, CSO, Cybereason
Today, the silver bullet to best deal with phishing scams doesn't exist and more training won't work. As an industry we can start building technology solutions that work with how people really behave instead of continually trying to change their behavior because between now and the end of mankind people will keep clicking on stuff.