Most company breaches start with a phishing email. In nearly all cases the point of entry can be traced back to an employee unwittingly clicking on a link, opening an attachment or giving up credentials that unlocked the door and invited the criminals to step inside.
However, as quickly as technology evolves to identify these rogue messages, the criminals change their tactics to evade detection. So what else can be done to prevent these scams being unleashed?
Activate your human sensors
Most of us have been in an airport and heard the announcement over the loud speaker; 'If you see something, say something.' The airport has security personnel in place patrolling the corridors and manning checkpoints. However, their agents cannot be everywhere at once. They collectively rely on travellers passing through to be their eyes and ears in places they cannot be. In this way, travellers become the ‘sensor’ watching for, detecting, and alerting on suspicious behaviour such as unoccupied luggage.
What does this have to do with information security? Just as passengers can help prevent an incident in the airport by reporting suspicious activity, employees can help prevent a potential data breach by reporting suspicious emails, instead of falling for them.
Sounds simple enough – but is it?
Training your human sensors
One of the greatest challenges facing security awareness initiatives is providing employees with an experience they will actually remember and retain.
Think back to all of the corporate training you’ve sat through during your career. How much knowledge from those courses did you retain? Although you technically completed the training, have you applied any of the information you were given in real life?
For many employees, security awareness training falls into this category. It’s something they probably don’t care about, and that doesn’t help them do their jobs. Users will do what they have to do to get through the training, check the box, and get back to their regular jobs.
Their security awareness training is now a distant memory buried in a pile of other dull corporate training they’ve been forced to endure over the years. As a result, traditional approaches to awareness training have failed to achieve their objective – change a user’s security behaviour.
When trying to get a person to do something that doesn’t come naturally – such as security awareness training, it needs to be engaging and ultimately fun.
Engaging your human sensors
Games, particularly video or ‘arcade’ games as they’re more commonly called, can be fun and often addictive. It is this behaviour that forms the basis of Gamification – described as a tool to design behaviours, develop skills and enable innovation. So, could it teach users to be more security savvy?
When change is required, introducing a new working practice for example, gamification can dramatically improve the engagement and desired behavioural changes needed from employees to make the project a success.
Gamification can make security awareness training quick, interactive, minimally disruptive to the user, and above all interesting. When used correctly it is arguably one of the best methods to grab and keep a person’s attention to make security awareness memorable.
With that in mind, here are five steps to make your security gamification training engaging and maybe even (dare we say it?) fun:
For the average user, security concepts are difficult to grasp, so start simple! Sending a beginner down a black diamond trail is a good way to turn them off of skiing forever (or worse, get them injured). It’s the same with security.
Don’t trip up your users by starting them off with complicated concepts – get them on the beginner slope. Start with a basic scenario, such as an email with a link promising pictures of cute cats. As simple as it sounds, many people will still click. Any security pro can devise a fake phishing email that users will click on, but since the goal is to improve behaviour, start simple and work up to more complicated scenarios.
Hollow platitudes will undoubtedly get your users to tune out (corporate training has never been guilty of this has it?). Avoid vague messages like “keep company resources safe”, instead give users specific, actionable information that will help them change behaviour.
Mix it up
How many of you pay attention to the airline safety demonstration prior to takeoff? That demonstration never changes, so consequently most people are checking out SkyMall instead of listening to the demonstration. Don’t make the same mistake with security awareness.
Vary both the content and delivery method of your security awareness to continually engage recipients. Offer training content in video form, HTML templates, and add an interactive element to ensure it appeals to different learning styles and personality types.
Keep it going
Why is it so easy to forget what you learned in a boring class? After the final exam, you don’t need the information, so there’s no need to retain it. We do know that security is a constant and changing threat; therefore, security awareness needs to be continuously reinforced. By continuously training users at different times throughout the year, safe security behaviour becomes a habit, and not something forgotten as soon as training is over.
It might be tempting to expose the users who are security risks, but in our experience, the negative backlash this generates will quickly undermine your program. Keep things positive by measuring results and recognising people and departments who have done well. Educate and support those that need additional help.
If people enjoy security awareness, and talk about it with their peers, not only will they be more likely to participate, the experience will be more memorable. Maybe it’s a stretch to think that security training will ever be fun, but if you follow these guidelines, you’ll keep your employees engaged and ultimately improve your organisation’s security posture.
Scott Greaux, VP of product management of PhishMe