Security Awareness: Beyond Typical Training

Do you force your users to take security awareness modules once a year on generic security topics. 

Do you feel like it is making the impact you are expecting? 

We all know that security is everyone’s responsibility and to be successful everyone needs to play their part. Unfortunately, we don’t do a great job of really defining how security fits within each person’s area.

Instead, we force generic phishing simulations and then assign annual awareness training modules. Modules that are typically not specific to the user’s role, but generic in nature. This is because there is a cost associated with creating role specific training for every role. In addition, there are overhead costs to managing who is getting what training. In many circumstances that cost may be out of your budget. 

So what can you do?

I mentioned on a recent Down the Security Rabbithole podcast an idea that shouldn’t really incur high costs, but can help enhance the awareness program. Let me explain.

My morning routine consists of looking through my RSS feeds while I eat my breakfast. I find this process helpful in staying current on trending issues. Typically, the things I find interesting are shared with the security team to take a look at. However, I have found multiple occasions where something makes sense to share with someone outside the security team. This has included devops, developers, DBAs and infrastructure. It could also include legal, hr, finance, or really any group within your organization.

I typically reach out through Teams or Slack to a contact I have for that group. I share the link to the article, but also start a dialogue around the context and how I think it relates to them. This allows them to ask any questions or express any concerns, creating an actual conversation, rather than just pushing content.

Why I like sharing these stories/articles with these teams.

• Increase Collaboration – Sharing information with your colleagues in different departments helps mature the relationship with other departments. The goal is not to inundate them with news articles. Part of our role in security is to curate the information so only the most relevant is making it to the end user. This also helps them feel like they are part of the team. 
• Relative – The information you share will be directly relative to the user you share it with. This helps our colleagues become aware of actual tactics used against them. The payroll team actually sees real examples of how their colleagues in the industry are being targeted. The developers see how attackers may be targeting them.
• Knowledge Retainment – When the user becomes aware of actual tactics that are directly related to them, they have a tendancy to retain that information. They are less apt to just click through the typical training to get through it. 
• Self Reliance – Sharing your sources with your colleagues helps them learn where they may find similar information. It may lead to some of them becoming interested in learning more and starting to follow some of these sources as well. When this happens, there will be less need for the security team to share these articles since the colleagues themselves will already by up to date.
• Timely – Rather than waiting for annual training, the information is shared when it is most relevant. Share with team what the trending issues they are facing are now, not after the fact. 

If you are looking for ways to get more out of your security awareness training and improving your security culture, I think this is a great way to get your entire organization involved. This will also give you the opportunity to meet some new people within the organization. Finally, it helps increase your knowledge and understanding of the risks within your organization. 

This may not satisfy your compliance requirements or reach 100% of the employees, but it is a great addition to your current processes. It will be more relevant, probably more impactful, and you might be surprised how people start opening up when they feel part of the conversation.

I would love to hear your thoughts on doing something like this. If you have tried it, does it have any impact? If you haven’t tried it, what is holding you back?