Most organisations don’t have a lot of time to make an impact with their security awareness programmes, but are faced with compliance obligations that must be met. It is critically important to have a security awareness solution that uses the limited time available to train effectively, and one that provides targeted education that is relevant to users. This latter must be based on the knowledge gaps they have and the topics that they need to learn about now.
Currently there are two issues facing us today:
• How to keep users engaged?
• How to account for an education programme that factors in your globalised audience?
Ultimately, the goal of any security awareness programme is to drive behavioural change and drive actual security outcomes. It’s true to say that your company is only as strong as your weakest user, but what does this mean? Basically, you want to see fewer people clicking on malicious links, not only in simulated phishing tests, but in real-world attacks. However, if users mess up, you want them to learn from their mistakes. Without follow-up education users will continue to make the same mistakes in the future.
You want to work for a situation where more employees report suspicious emails, proactively helping you to keep your organisation safe. Data from the SOTP Report shows that a little over a third of organisations currently educate employees about best practices for reporting. If users don’t know what to do when they get a malicious email, how will they know how to act appropriately? What you don’t want is users reporting on random spams or low-risk emails. You want end-users to know what a potential threat looks like and report on high-risk emails, and know how to tell the difference.
To help customers build a strong culture and shape existing behaviours, values and beliefs towards it, you need to organise a solution into three key steps – an ACE Framework – Assess, Change Behaviour and Evaluation.
Assess: The first step is to assess current culture, knowledge and skills to help establish the baseline and understand where the gaps are and what users believe. This helps inform a programme focus and aids with evaluations. Customers can do this using a variety of tools like knowledge and culture assessments.
Change Behaviour: The second step is to help customers execute on their behavioural change programme. This consists of three key components: automation, adaptive learning and the reinforcement of that learning.
• Automation is very important: security teams can get inundated with user reporting of suspicious messages and threats. It is necessary to provide a way to automate remediation of threats. This approach saves time and resources.
• We also know that one size does not fit all, and this couldn’t be truer for training. An adaptive framework makes it easy to deliver continuous learning throughout the year, adjusting the style of learning and the size so that it fits easily into people’s daily schedule. This helps them move along a path that increases skills level over time across key security domains, and based on role. Think targeted education that’s geared right to where users need to be learning at any given time.
• Reinforcement is also key to combatting the forgetting curve. Using existing tools like threat guided training and email warning tags (providing contextual nudges) are some examples, as well as teachable moments, videos, and more.
• Evaluate: you want to be able to evaluate your programme regularly and make changes as needed, to get results.
Above all, remember, this is a cycle, not a linear process. It is constantly restarting and improving.
Now that we’ve covered the stages of the ACE framework, it’s necessary to take a holistic approach to security awareness education. You need to use a threat-driven content informed by threat intelligence to drive educational modules and help users be prepared to face threats in the wild. A tailored education is not only based on users’ roles and knowledge gaps but is also informed by user vulnerabilities, which must be captured using threat intelligence.
Threat detection capabilities also automatically analyse user-reported messages for fast, time-saving detection. You need visibility to help you communicate the impact of your programme to your leadership team, and to help inform future changes you are considering for your security awareness.
These components come together to help save you time, resources, and enhance the administrator experience – which helps you expand and scale your growing business.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.