Security Awareness Training is big topic and it consists mostly of people saying that you need to run phishing campaigns.
People are your weakest link, but that’s their nature. It’s more than knowing social engineering, identifying phishing scams in all its forms.
You need to train your HR people on listings and job postings. Train and educate your IT staff on parameters for safety, identifying vulnerabilities.
I’m a firm believer that awareness programs are critical for organizations. It could be because I came of age watching the GI Joe cartoon but knowing is half the battle. It’s true in most endeavors, especially if the goal can be somewhat classified as winning. I’m also a firm believer that most, if not all, organizations approach the design and implementation of these programs incorrectly. Too many organizations equate phishing campaigns with awareness programs.
Phishing campaigns are an effective component of an awareness program, provided they are done properly. There’s an entire post around conducting these campaigns, how they should be implemented, what you’re looking to instill, and hopefully I’ll remember to write those. For now, for this, campaigns alone are not enough to cover an awareness program. Bonus bit, phishing campaigns should not be about not clicking links, nor figuring out who is clicking links. They should educate to form, intent, and inform changes or implementations to the organization based on the results.
No, for now, let’s talk whole picture. What does an awareness program look like? What does it tell us? Is it a standard training or is it more of an actual program? First things first, I hate calling it training. Training is working to implement a given response to a stimulus; like Pavlov’s dogs, pet training, or otherwise. Training is intended to create an almost automatic response. (I’m aware that much of our military uses the term training and I’m not disparaging that. I think it’s a different case than here, though it’s possible a better term could be applied there.) I prefer to say you need to “educate” your team. And they’re not users, they’re your team. Awareness programs aren’t just about computers and systems, so they shouldn’t be viewed through the lens that they are users. That creates the false narrative that their interactions are weakening an already strong system. This is not entirely true. They are a component of the security system as a whole.
There is a lot of information out there on how to harden systems, what frameworks we recommend, constructing and using golden images, and creating a layer of defense with our technology solutions. Yet when it comes to the most critical and interactive component, the people, our advice amounts to “train them to not click links.” Vishing campaigns do not rely on clicking links. Gift card scams do not rely on malicious links. Trolling LinkedIn for internal operations does not require links. Holding a door open because someone said, “please,” is not a link based threat. Why then do so many awareness programs start and end with identifying malicious links in emails and call it a day. More so, what kind of advice is “don’t click links” or “only open emails from people you know and trust.” There are entire departments that are regularly receiving emails, many times unsolicited or slightly requested (think resumes), from people they do not have an established level of trust. Telling them the best practice is to just not open them is not going to cut it.
An awareness program goes beyond phishing training. Do your network and sysadmins have awareness of proper hardening of systems? Do you allow time for training in their area, to keep up with changing times? Does your leadership team make sure that formal communication methods are communicated properly, that no variations will be used. And if they are used, that any staff member that dismisses them as potentially fraudulent would not be held against them?
Do you take the time to make sure HR and AR/AP teams are aware of all formal vendor approvals, that there is a process to confirm, communicate, and acknowledge changes to vendors, payroll, employment change? None of these are about phishing, yet they are all ways that may be used as avenues against an organization. That go against knowing the formal methods of communications, of your change management programs.
Awareness programs are crucial and they are also multifaceted. It’s not signing up with a vendor and doing a monthly phish, with a quarterly campaign. It’s about building knowledge and resiliency that bolster your controls, creating an active human element, should a technological element fail.
‘Cause knowing is half the battle.