Where Do Security Awareness Programs Belong on the Org Chart?

Part 3 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 2 here.

For this blog series on building a security awareness program, we started in week 1 with how to build a strategy. Last week we discussed how to select and use content in your overall program and specifically your phishing program. This week we’ll focus on program alignment – in other words, where does the security awareness role report within an organization?

While I was attending a security awareness conference in 2017, day 1 kicked off with a keynote that discussed the incident response process/program. The speaker had a couple of key points that resonated with me and have stuck. The first point was related to responding to your annual penetration test – do build your program to align with their findings, they will ALWAYS get in, it’s their job, etc. The second point was aligning your security awareness program to your incident response team.

Should you report to Training and Compliance or Incident Response?

Having spent a number of years in the security awareness role and networking with peers who have similar responsibilities, I can tell you that the reporting alignment is all over the place. Some report into the GRC department, some into the Learning or Training department (typically under the HR function), and some into the security program directly under the CISO. Some organizations will have a first line of defense – the teams with the tactical responsibility of defending against threats to the organization. They may also have a second line of defense – the teams that provide oversight or governance for the security program. This alignment tends to be more present in highly regulated industries.

You also find that security awareness professionals have varying experience and skillsets. You will see all these differences when you search for a job posting in security awareness – including the title. In some organizations the function may be a part-time job, just one of the many responsibilities assigned to the person sitting outside the CISO’s office. Other organizations have taken the time to build a robust program, making administration a full-time job – maybe even one that requires a team and a budget allowing the team to lower risk by addressing behaviors.

If you read part 1 of this series, you will recall the recommendation to go ask your Security Operations or Incident Response team about their top incidents tickets. If your strategy is to address behaviors corresponding to REAL threats, then it stands to reason that the awareness function should be aligned as closely as possible to the department that responds to those threats. Here’s a visualization (purely an example) of the types of risks your program might address:

A robust security awareness program should include the resources – money and people – needed to make the program successful. If you have a compliance team that manages the regulatory and audit requirements, by all means, allow them to manage the annual training requirement for cybersecurity. Just make sure you’re able to review and provide input on the topics being covered, so the program aligns to the current threat landscape. When the auditors or regulators ask you about it, you’re covered.

Cybersecurity threats and behaviors are not black and white. They are constantly changing. Most cybersecurity frameworks and regulations simply state that you should have a security awareness program. Such statements are a little vague, but that’s a good thing. Without the constraints of specific elements – newsletters, posters, phishing annual training, squishy balls shaped like phish, stickers, a security awareness portal, etc. – you get to define what to include in your program, based on the threats and behaviors you need to address.

The metrics can help you find the right home.

One last item that helps decide where to position the security awareness role in the organization – metrics. When the role is aligned with the governance, risk management, and compliance side of the organization, metrics relate to completing the training or to how many users clicked a link or opened an attachment. When the role is aligned with the security program, metrics focus on end results like reducing risk and reducing time to contain an incident, which in turn leads to reducing time to remediate an incident. Instead of focusing on the number of clicks you would focus on reports: how many users reported the message, so the SOC can respond to and mitigate the attack.

Wherever your security awareness program lives within your organization, if you’re clear on the metrics you can communicate better. You can market the program and its goals to your business audience, translate technical/cybersecurity concepts in ways anyone can understand – and most importantly, tell people the actions you want them to take.

If you’re just getting started on building your security awareness program, there are plenty of free resources available to you when you’re on a shoestring budget:

See Awareness Resources

Recommended reading: If you’re looking to expand your knowledge on how to create powerful moments in your security awareness program, I suggest reading The Power of Moments by Chip Heath and Dan Heath.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Security Awareness: Choosing Methods and Content that Work

Part 2 in our 4-part series in support of National Cybersecurity Awareness Month. You can read part 1 here 

Last week we examined the importance of setting a strategy and goals for your security awareness program. 

Now that you’ve selected the user behaviors you want to address, the next step is to think about methods and content to nudge users to the correct behaviors. 

We live a fast-paced world of information overload. You have seconds to get your message across to engage your users. You need to choose proven learning methods and focus your educational content on the behaviors that matter most. More than anything, your training must be simple and to the point. 

Simulations Are the Best Way to Teach the Right Behaviors 

Everyone has a different style of learning and consuming information – video, newsletters, blogs, computer based training modules (CBT), etc. According to the National Training Laboratories (see charts below) people retain more information from simulations than any other method. 

After years of enabling companies to run simulated phishing campaigns, we have a vast amount of data to support this method of learning. The experience of clicking and having that “Oh no, what just happened?” moment, is how the recipient learns. 

Running a simulated phishing attack IS the learning moment. It is not the education presented during the campaign on the website or attachment. This is also supported by the data we see over the years of capturing how long the user stays on the page to read the education. They don’t – the largest segment of users falls in the 0-9 seconds range for “time spent on education.” Yet the data indicates a reduction in susceptibility rate and increase in reporting rate. 

The data also supports the reduction in susceptibility as we look at the number of campaigns it takes to reduce that click rate. When you’re trying to address perpetual clickers, increase the number of campaigns while shortening the time between campaigns. When increasing the number of campaigns, focus on the active threats in order to reduce the risk faster. We first published the chart in our 2015 annual report. In 2019, we ran the numbers again to see if this trend was still the same. Sure enough, the graph still has the same curve. 

Source: Phishing Report 2019

Focus Your Training on Real Threats 

As you start to condition users to report real phishing emails, not just simulated phishes, you’ll want to focus on malicious emails that are getting through the spam filters. In other words, base your simulations on the real attacks your company sees. This will help your users quickly spot the real thing. The goal is to build a resilient workforce that can identify and report potential malicious emails quickly. This drives down the risk to the organization, allowing the security team to mitigate the risk and avoid an incident. 

You will never get to a zero click rate. Phishers are too smart. They craft their emails to look like they’re part of your normal business processes, especially financial transactions. They also constantly change techniques to avoid controls that block their messages. 

So, what does this all mean when we talk about educational content? If you’re focusing on behaviors that you’re looking to improve, you don’t want to hit users with content overload. Instead, create a plan for covering a theme to each quarter. Use this theme in your newsletters, videos, or learning modules. However, allow for flexibility to shift if a threat is now affecting your organization (HeartBleed, Meltdown, etc.). 

Let’s take one more example of using content to nudge the user to the right path. It’s the example used in last week’s blog on program design—how to change users browsing behaviors. Presenting the user with a simple banner at the moment they’re exhibiting the wrong behavior, we can direct them to take the right action. You can adjust this banner as the behavior changes. Once you curb their habits to click through to unknown sites, your metrics may reveal a category that needs to be addressed – such as software downloads.

Cofense recognizes that you have regulatory and compliance requirements to provide annual security awareness training to our organization. To help you focus your resources to elements of your program that actually make an impact, we provide a series of modules for FREE to any organization (even if you’re not a customer).   

In summary, keep your security awareness content simple with clear direction—and even better, fun and engaging—and you’ll soon be able to experience a shift in behavior! 

Recommended reading: If you’re looking to expand your knowledge on how to create content and simple messaging for your program, I suggest getting a copy of Made to Stick, Why Some Ideas Survive and Others Die, by Chip and Dan Heath. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Building a Security Awareness Program? Start with Strategy and Goals

Part 1 of a 4-part series on building and maintaining a security awareness program, in support of Cybersecurity Awareness Month. #BeCyberSmart 

I’ve been with Cofense for two and a half years now interacting with several groups internally, but there are plenty of moments when I still get to chat with Awareness professionals. It’s in these moments that I realize there’s still some passion for helping others with their programs. I wrote this series early in my first few months of joining the organization and find these are still the recommendations I provide to others building or maturing their programs. 

In 2011, I began my journey into security awareness. At that time, there were limited resources and most programs were still compliance focused. Even though I had previously spent five years in IT compliance, I knew this wasn’t the right approach to get users to learn or care about security. I kept telling the director who owned the role, “Compliance focus is wrong –you have to market to the users.”  

Seven years later, I have a few tips to share about creating a security awareness program. The first tip might sound obvious, but how many times have you seen it ignored? Make sure you have a strategy. And while you’re strategizing, remember to set some goals. 

Ask your SOC for help. 

Before you can begin to build your program strategy, reach out to your Security Operations/Incident Response team. This team should be your best friend—and YOU will become theirs. They genuinely care about protecting your organization and you will be a breath of fresh air to them. But you will most likely need to remind them that they have the “Curse of Knowledge” (week-two book suggestion) and they don’t remember what it’s like not to know something. They’ve been doing technology and cyber too long to put themselves in the shoes of the user, so that’s where you step in. 

 What to ask them? They have lots of data and metrics. They most likely can give you a number of high risk incident categories that they track. What are the top two or three categories that ….? How much time does it take to remediate each of these incidents—for the user and the highly skilled technical staff? 

Start simple. 

Once you have identified the top behaviors for your organization, you can now begin building a program by outlining strategy and goals. Remember that a strategy is a longterm plan, so don’t try to tackle every behavior in your first year. Start simple. Some behaviors may require further analysis. 

 Let’s take browsing for instance. As you dig into the data, you find that users are able to open websites that have been categorized by your proxy filtering solution. You block the bad stuff—malicious, inappropriate content, gambling, etc. But what about those new websites, you know, the ones attackers like to host their malware on. Do you allow traffic to those websites? Most proxy solutions have a method for you to post a banner or warning to the user, letting them know a site has been blocked and why (it’s been categorized as malicious).

So, part of your strategy might be to leverage existing technology to stop users in their tracks. Another part could be to design a banner page explaining WHY a site is potentially bad, along with a way to gain access to and register for the site, so users can do business if they think the risk is low. 

It’s not training, it’s culture and behavior change.  

Security awareness programs over the years have been lumped into the “training” category. Don’t jump right to the “Let’s give them training” camp. Security Awareness is about a culture change, communicating the security posture of the organization. 

If your organization is regulated, you are required to provide annual mandatory training for security. The typical default for this training is a CBT module because it’s easy to track and demonstrate compliance. But don’t stop there. In order to influence change in behavior and culture, you need ongoing communications and content, not just once a year. This is where building a catalog of content and available resources is necessary. Build a portal where you can post newsletters, alerts and videos so your users come to you. Build a calendar of themes for the year, either by month or quarter, but allow for flexibility. This allows you to address new threats that affect your organization or industry. 

You can’t do this alone. Yes, you may be the only one officially assigned to this task but building your informal network and team will help you get your program off the ground. First and foremost, find a senior leader to champion your program, someone who understands the value the program and will go to bat with their peers. This will help build confidence in your program and make it more visible. 

The next group you should befriend are your corporate communications and marketing teams. These groups typically hold the keys to getting your message out. That intranet page? Those teams control the content appearing above and below the scroll. 

Building a program takes time and resources. If those are limited, start small and grow as your program gains credibility. Use small wins to demonstrate value and then expand those resources. There are also plenty of free resources available to help get you started. 

Recommended reading: If you’re looking for more material on changing organizational behavior, I suggest getting a copy of SWITCH, How to Change Things when Change is Hard, by Chip Heath. 

Next week, part 2 will cover how to add the right content to your program.  

Why Join Us at Cofense Submerge? Here’s What Attendees Say

Next month in Orlando we’ll be hosting CofenseTM Submerge 2019, our fourth annual user conference and phishing defense summit. As we wrap up each event, we ask attendees for feedback. What did they like best? Networking and hearing other customers’ experiences are always the top responses. As a former customer who now works at Cofense, I totally agree.   

Here are some of the answers we heard last year when we asked, “Why attend Submerge?” 

“Sharing ideas was tremendously helpful to me—having the opportunity to meet other people from a variety of industries doing the same thing that I do.” 

We’re all on this journey together, so the opportunity to meet industry peers is invaluable. If you’re new to getting your phishing defense program started, networking with peers can go a long way. If you’ve been running your program for a while and want to recharge it or find out about the latest in the phishing threat landscape, this is the place to get all that! You’ll be amazed how folks in different industries deal with the very same challenges. 

“I’ve taken tons of notes that will help me justify budget and take our program to the next level.” 

When you can take tidbits back to your boss, tips and tricks you can use immediately, that’s a good return on investment. Submerge 2019 offers nearly 30 sessions packed with practical information. Besides getting inspired about the future, you can apply what you learn right away. 

 “Substantive case studies provided by clients who had good program maturity.” 

Each year we hear from our attendees that they prefer sessions that are led by other customers. And when customers speak, we listen. This year, 80% of our sessions will be led by customers. The topics of our sessions this year range from phishing programs to technical incident response and threat intelligence. In most cases, the session leaders will be your peers, people that manage mature phishing defense programs. 

“Submerge is knowledge, security, and innovation.” 

This year’s sessions cover the gamut: trends in security awareness and incident response, a glimpse at our product road map, deep dives on topics like dealing with repeat clickers, and lots more. Not only do we have great sessions, but we have Kevin Mandia, FireEye CEO, providing insights into the incident response landscape.  

So, don’t just take our word for it—ask around and you’ll hear many more reasons to attend Cofense Submerge. Join us in Orlando, September 23-24!  

  

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. 

SMBs: 5 Ways to Avoid Becoming a Small Phish in a Big Pond

In the fall of 2016, I watched a good friend get her business ready for opening in her first retail space. She had previously run everything from her home and now she was entering a whole new phase. I observed her interactions during a few visits and she knew when I gave her that “look,” there was something that needed improving.

“What Wi-Fi network do you have your register assigned to in the shared retail space? You should put a password on that register device you’re using, so when you’re across the store someone can’t open your register.”

The best part of helping her set that device password was watching her millennial daughters return to the store and try to guess the password – listening to their theories on creation was most amusing.

Following are 5 ways you can protect YOUR small business from phishing and other cyber threats.

  1. Train Your Employees!

A majority of small businesses have fewer than 50 employees. Ensure your staff are trained on the basics of cybersecurity for their roles. There are a number of free (YES really free!) resources available online to provide the basics: phishing, passwords, internet browsing and data protection.

The number one threat that will impact your business is phishing. Start with the simple actions. Teach employees to diligently check links – hover to see the real destination. If they did click on that link, do they have someone to tell? What if it took them to a website asking for their username and password?  If there’s an attachment, did it come from a trusted sender – if so, were they expecting to receive that invoice or resume file?

In June this year, the FBI issued a warning about the dramatic increase in business email compromise (BEC), which results in financial loss for the business targeted. The BEC scam is a simple email from a fraudster masquerading as a legitimate business executive asking for funds to be wired. These messages are typically targeted to individuals in the organization that process invoices or payments.

With a small staff, it’s not always easy to build your processes to include segregation of duties. But having controls in place related to handing out funds will not only save you on insider theft, it will also reduce the potential wire fraud from a random email spoofing your email address to your finance team. If your business does become a victim, the FBI encourages you to report the incident.

Remember the Target breach? The malicious actors started with sending a phishing email to the HVAC maintenance technician – a small business.

  1. Get Cyber Insurance.

You have an insurance policy on your car to protect you if you’re in an accident. You purchase liability insurance to cover your risk, should you encounter an unforeseen disruption in your business. In order to protect your business from a security incident that could result in a data breach or business disruption, you should invest in a cybersecurity insurance policy.

  1. Invest in IT/Cybersecurity Services

Enlisting the help of your teenage nephew is great for setting up your new phone or laptop, but that’s not the best solution to support your growing business. There are plenty of managed service providers to contract support for your technology and cybersecurity needs. Tap into your local small business networks or professional sharing networks for recommendations.

  1. Protect your Online Business Accounts

I put it in the cloud! The cloud service offerings today are far more readily available and robust than even five years ago. Entering your credit card info to purchase a piece of the cloud is easy, but make sure you know what you’re putting where. Keeping an inventory of these services, along with the type of data your storing, is important if the service experiences a breach or an outage.

While it might be easy to use that same username and password across all your accounts, it only takes one data breach to put all these services at risk. Get a password vault to manage these accounts.

  1. Protect your Social Media Accounts

As a small business owner, your number one “go to” place for your marketing campaign is social media. Managing these accounts is critical to protecting your online identity. Who has access to post on your behalf? Limit who has access to the account. Review your profile settings to ensure you have the highest level of security enabled. If the provider allows you to enable two-factor authentication – ENABLE IT!

Learn what two-factor authentication is and how to enable it at https://www.lockdownyourlogin.org/

YOU can do this – small steps can make a BIG difference!

Whether your family business was handed down to you through generations, or you’re a new start up, or  a nonprofit, small city, county, or community organization – you have intellectual property or personal data that you need to protect. And you have employees that need to take actions to support your business.

You built your business to live your dream; don’t let a malicious actor take that away from you! As you grow your business, make sure you grow your cybersecurity capabilities right along with it.

Hey! I know I’ve never talked to you before – but can you send some money – QUICK!

Business Email Compromise (BEC), also known as CEO Fraud, is a type of phishing email designed to impersonate an executive. In a BEC campaign, the “executive” urgently instructs an employee to wire money, sometimes lots of money, to a bank account. The FBI reports that BEC scams hit businesses to the tune of $12.5 billion annually.

What makes BEC campaigns different?

In a BEC attack, the weapon of choice is simple words. Instead of tricking people into clicking a malicious link or attachment, a BEC attack tries to lure recipients into taking action. The threat actor will spend time researching the organization, identifying execs whose high-priority messages would make employees respond ASAP.

Though this type of threat is fairly new in the phishing landscape, it is very successful. Actors have been able to make off with millions of dollars, using networks of mules to move the money back to the mothership.

In recent months, there has been a shift in the type of currency requested—gift cards. They’re easy to obtain and, if requested in smaller amounts, can go unnoticed but still add up. Researchers have also been doing their work, hunting these criminal groups with much success. Last summer the FBI announced the arrest of 74 fraudsters, all related to BEC. When an organization realizes it’s been hit with a BEC attack, it can reach out to the FBI, which will work with financial institutions to block the transfer of funds.

What can you do? A few tips.

I remember a few years back when this threat started to surface. I couldn’t help but think back to my days in finance and IT compliance, with a focus on Sarbanes-Oxley, and think about the controls breakdown BEC triggers. Here are some ways to KEEP control.

First and foremost, train your employees to be on the lookout for these types of messages. Secondly, implement controls within your payment process to require a secondary signature for release of funds. When I worked in the treasury department for a retail chain, there were many days I would have to walk to the Controller’s or CFO’s office to get a REAL signature on a check greater than $50,000 or a request for a direct wire. Also, look to the gateway controls and implement DMARC /DKIM as discussed in our previous blog post.

There is another control that is starting to become a best practice—tagging external messages in the subject line or message body and letting your employees know the message originated outside the organization. This tag is helpful in spotting BEC messages. Many times, executives or high value targets are reading their messages on mobile devices. The mail client on these devices doesn’t display the fully qualified email address, making it difficult to assess the validity of the message sender.

A BEC sample:

The importance of tagging for viewing on a mobile device – mail client vs mobile:

If your organization becomes the victim of a BEC scam, report it quickly to help the authorities stop the funds from going through. Reporting also provides law enforcement with more information about the threat actor, which further helps to fight these crimes.

Learn more about phishing threats and protection in the Cofense State of Phishing Defense report.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

When Sharing Isn’t Caring: Phishing Attacks Are Abusing File-Sharing Sites

Cofense™ has predicted continued growth in phishing attacks that abuse file-sharing services, for example, Google Docs or Sharepoint. In this post, I’ll examine why and how threat actors are doubling down on this tactic.

First, here’s the full prediction from Cofense threat analysts Nick Guarino and Lucas Ashbaugh:

“The majority of phish seen in the wild in 2019 will live in historically ‘trusted’ sharing services like Google Docs, Sharepoint, WeTransfer, Dropbox, Citrix ShareFile, and Egnyte. It’s difficult for these services to keep up with the constant barrage of varied phishing tactics (Whack-A-Phish, anyone?). In fact, the service providers can be really slow about staying on top of this stuff. Traditional security tools (firewalls, anti-virus) have no insight into the files housed on these services. As a result, it is incredibly difficult to protect users against these phish hiding in plain sight.”

Why is file-sharing a target? Because users trust these services.

In a recent post on credential phishing threats, we referenced the cloud as an attack surface. One of the emotional triggers that a threat attacker will pull is trust. When users get an email pointing them to, say,  Dropbox, there’s a greater likelihood they will engage with the message. These services have become trusted brands, so it’s only natural for a threat actor to leverage them.

It’s difficult for email gateway controls to block messages that link to these cloud-based services. Because the file is hosted outside the organization’s perimeter, traditional security solutions such as firewalls or anti-virus don’t have visibility. Threat actors are well aware of this fact, which is why they’ve been so successful with these types of campaigns.

User interaction is related to the business process.

We often see threat actors use generic messages as shown in the example below. In it, you won’t find any brands that would make the user more likely to interact with the message. The likelihood of user interaction is related to the business process presented—easily shared files.

This particular organization has URL defense protections enabled. It has also added tags to the message to alert the user that it is potentially harmful, since it originated outside the organization. These additional defenses can be helpful, but they make it difficult for the user to assess if the URL is legitimate.

One thing you can do: focus your phishing defense program on current threats, like attacks that abuse file-sharing. Teach users to identify phishing emails that link to file-sharing sites and condition them to ask questions before replying, for example:

  • “Am I expecting to receive an invoice from the sender?”
  • “Does my job normally require me to process invoices from unknown sources?”
  • If yes, “Does our business process require the finance teams to validate that an invoice or purchase order is expected or legitimate?” This might be possible in a smaller organization where teams interact with each other more frequently, however, it’s most likely not the case in larger, more diverse organizations.

To repeat, as long as these types of attacks are successful, we will continue to see them near the top of the phishing charts.

View all 6 Cofense phishing predictions for 2019.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Expect Credential Phishing to Continue Surging in 2019

“Hackers don’t need to break in, they only need to log in.” This was a quote mentioned at a conference I attended last December and which I repeated in an e-book Cofense™ recently published, 6 Phishing Predictions for 2019. My prediction was that hackers will continue to go full bore with credential phishing, emails that specifically ask for username and password.  

October may be over – but phishing attacks never stop. Here’s how to make security awareness successful all year round.

Part 4 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 3 here.

As October comes to a close, so too does National Cybersecurity Awareness month. But not so fast – Security Awareness isn’t just about October. It’s all year long and it never stops, it’s ever evolving.

I developed this four-part blog series during National Cybersecurity Awareness Month to provide key industry insights and proven methodologies for building and enhancing your security awareness program. We started in week 1 with building a program strategy, followed up by discussing program content in week 2. Last week with focused on the alignment of the security awareness function with the organization. This week we’ll wrap up the series with some key findings published in the ISC2 Workforce Study. According to the report, lack of focus on security awareness is the top challenge for ensuring long-term security awareness program success.1

Figure 1, left and 2, right – Image source: https://www.isc2.org/Research/Workforce-Study

5 Ways to Bring Focus to Security Awareness Programs

As noted in the charts above, there are several reasons, all with fairly equal representation, as to why security awareness programs lack focus. I’m going to break down each of these reasons and explain how you can overcome that hurdle to bring more focus to your awareness programs.

  • Low security awareness among end users. This is a no-brainer. It’s important that security awareness programs are rolled out to everyone in the organization, not just select groups. While some programs start with training a few key groups to benchmark results, it’s important to get buy in to enroll the entirety of the organization to build resilience to attacks across all teams with on-going training.
  • Not enough skilled cybersecurity professionals available. This report cited end users – people – can lead to more security vulnerabilities*, so it’s no surprise to see that the security awareness function sits at the top of the chart as a much-needed area of expertise. Many organizations still assign this as a part time job function along with other security hats to wear, preventing focus. Instead, have a dedicated security awareness lead running the programs while working alongside other internal security professionals to ensure the programs remain well-rounded and effective.
  • Inadequate funding. Security awareness is a necessary and essential component to larger threat defense strategy and needs to be a budget priority in order to begin reducing your organization’s cybersecurity risk and building resiliency to today’s top threats. At some point, perimeter technologies will fail to stop a phishing attempt and it’s up to resilient, trained humans to recognize and report suspicious emails – thinking of this as a last line of defense is an area worth investing in.
  • Too much data to analyze. As more and more humans are enrolled and participating in security awareness program, that also means more data points to digest and analyze on the state of threat susceptibility, resilience, program participation and success. Identify and prioritize the key data sets needed to demonstrate the security posture of the organization and collaborate with security teams to report and analyze program trends to reflect changes in that security posture. This may include your organization’s phishing resilience and reporting rates, for example, compared with inflated metrics such as click rates or susceptibility rates.
  • Lack of management support/awareness. This is often one of the biggest hurdles in preventing a security awareness program from reaching its full potential and scope. Having management understand the necessity of security awareness as a foundational component of a strong threat defense strategy is key. An idea is to run a phishing simulation trial with key management members to understand how susceptible the organization is from the top down. Once management realizes how easy it is for a phishing email to replicate a real one, there might be more awareness and inclination to engage in security awareness practices than before.

You’ve Launched a Successful Security Awareness Program – How Do You Keep it Successful?

Every day is a new beginning when it comes to cybersecurity. Threats and vulnerabilities are always changing – so your security awareness program needs to be able to nimble and fluid to mitigate those evolving threat vectors. Behavior improvements are ongoing and so should your security awareness programs. Organizations are constantly under attack as the threat actors continue to find ways to get past technical defenses of an organization, such as perimeter technologies and email gateways.

How do you keep your program aligned with the current threats? Reach out to your cyber threat intelligence or incident response teams. These teams are constantly researching the current threat landscape and identifying if and what impact it has on the organization. Download the latest white paper on cybersecurity or threat landscape. Read technical blogs from trusted cybersecurity solution providers to stay abreast of current news and threat trends. Another great resource is setting up Google Alerts for key words: phish email, data breach, malware, cyberattack, cybersecurity, Cofense™, awareness training, threat intelligence.

Jumpstart Your Efforts Today with Free Security Awareness Resources

Remember that building a program takes time to evolve and mature. Recognize small wins for the organization and continue to move forward to mature the program. Just as the threats are never ending, so too is the security awareness function.

As you set your priorities for the program, don’t forget that Cofense provides a wealth of training modules for free, which includes specific topics and compliance modules to meet your regulation requirements. If you’re just getting started on building your security awareness program, there are plenty of free security awareness resources available to you when you’re on a shoestring budget, including a turn-key security awareness program kit, posters, presentations and other resources to get you started.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

References:

1Source: “Cybersecurity Professionals Focus on Developing New Skills as Workforce Gap Widens,” (ISC)² Cybersecurity Workforce Study, 2018

*Source: “Cybersecurity Professionals Focus on Developing New Skills as Workforce Gap Widens,” (ISC)² Cybersecurity Workforce Study, 2018

 

Where Do Security Awareness Programs Belong on the Org Chart?

Part 3 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 2 here.

For this blog series on building a security awareness program, we started in week 1 with how to build a strategy. Last week we discussed how to select and use content in your overall program and specifically your phishing program. This week we’ll focus on program alignment – in other words, where does the security awareness role report within an organization?