How to Build A Security Awareness Program From Scratch
With the threat posed by modern cyber attacks, building a security awareness program should be a priority for every organization. So what keeps it on wishlists instead of to-do lists?
To help, we’ve distilled years of experience helping major organizations to bring together the resources and guidelines that can help you finally build an effective security awareness program that not only satisfies compliance needs, but also has a real impact on security.
We’ll cover building an information security awareness program from the ground up:
- 5 Roadblocks to building a security awareness program
- Setting goals and objectives
- Awareness vs Training
- Why Simulations Need To Be The Foundation Of Your Program
- Security awareness program ideas & examples
- Choosing metrics & measuring effectiveness
- Where Do Security Awareness Programs Belong on the Org Chart?
- A free security awareness program template & kit
5 Roadblocks to Building a Security Awareness Program
One of the best ways to make sure your program is successful is to build it to specifically avoid the top threats to its creation.
Our guide will address each one of these in detail, but here is your primer:
- Low security awareness among end users. This is a no-brainer. It’s important that security awareness programs are rolled out to everyone in the organization, not just select groups.
- Not enough skilled cybersecurity professionals available. Many organizations still assign this as a part time job function along with other security hats to wear, preventing focus. Instead, have a dedicated security awareness lead running the programs while working alongside other internal security professionals to ensure the programs remain well-rounded and effective.
- Inadequate funding. We have some free resources to get you started, but security awareness is a necessary and essential component to a larger threat defense strategy and needs to be a budget priority.
- Too much data to analyze. We’ll help you identify and prioritize the key data sets needed to demonstrate the security posture of the organization and collaborate with security teams to report and analyze program trends to reflect changes.
- Lack of management support/awareness. Having management understand the necessity of security awareness is often one of the biggest hurdles in building any program. By following our recommendations you’ll have the proof you need to prove the worth of expanding the program.
Start with Your Security Awareness Program Objectives
Before you can begin to build your program strategy, reach out to your Security Operations/Incident Response team. This team should be your best friend—and YOU will become theirs. They genuinely care about protecting your organization and you will be a breath of fresh air to them.
What to ask them? They have lots of data and metrics. They most likely can give you a number of high risk incident categories that they track. What are the top 2-3 categories that trouble them? How much time does it take to remediate each of these incidents—for the user and the highly skilled technical staff?
Once you have identified the top behaviors for your organization, you can now begin building a program by outlining strategy and goals. Remember that a strategy is a long term plan, so don’t try to tackle every behavior in your first year. Start simple. Some behaviors may require further analysis.
Security Awareness Program Objective Example
Let’s take browsing for instance. As you dig into the data, you find that users are able to open websites that have been categorized by your proxy filtering solution. You block the bad stuff—malicious, inappropriate content, gambling, etc. But what about those new websites, you know, the ones attackers like to host their malware on. Do you allow traffic to those websites? Most proxy solutions have a method for you to post a banner or warning to the user, letting them know a site has been blocked and why (it’s been categorized as malicious).
So, part of your strategy might be to leverage existing technology to stop users before they act. Another part could be to design a banner page explaining WHY a site is potentially bad, along with a way to gain access to and register for the site, so users can do business if they think the risk is low.
Are You Really Building a Security Awareness Training Program?
Security awareness programs over the years have been lumped into the “training” category. Don’t jump right to the “let’s give them training” camp. Security Awareness is about a culture change, communicating the security posture of the organization.
If your organization is regulated, you are required to provide annual mandatory training for security. The typical default for this training is a CBT module, because it’s easy to track and demonstrate compliance (we actually have free CBT modules to help you cross that off your list to focus on real security awareness).
But don’t stop there.
In order to influence change in behavior and culture, you need ongoing communications and content, not just once a year. This is where building a catalog of content and available resources is necessary. Build a portal where you can post newsletters, alerts, and videos so your users come to you. Build a calendar of themes for the year either by month or quarter, and allow for flexibility. This enables s you to address new threats that affect your organization or industry.
Why Simulations Need To Be The Foundation Of Your Program
Now that you’ve selected the user behaviors you want to address, the next step is to think about methods and content to enable users to the correct behaviors.
We live in a fast-paced world of information overload. You have seconds to get your message across to engage your users. You need to choose proven learning methods and focus your educational content on the behaviors that matter most. More than anything, your training must be simple and to the point.
Simulations Are the Best Way to Instill the Right Behaviors
Everyone has a different style of learning and consuming information – video, newsletters, blogs, computer based training modules (CBT), etc. According to the National Training Laboratories (see charts below) people retain more information from simulations than any other method.
After years of enabling companies to run simulated phishing campaigns, we have a vast amount of data to support this method of learning. The experience of clicking and having that “Oh no, what just happened?” moment, is really how the recipient learns.
Running a simulated phishing attack IS the learning moment. It’s not the education presented during the campaign on the website or attachment. This is also supported by the data we see over the years of capturing how long the user stays on the page to read the education. They don’t – the largest segment of users falls in the 0-9 seconds range for “time spent on education.” Yet the data indicates a reduction in susceptibility rate and increase in reporting rate.
The data also supports the reduction in susceptibility as we look at the number of campaigns it takes to reduce that click rate. When you’re trying to address perpetual clickers, increase the number of campaigns while shortening the time between campaigns. When increasing the number of campaigns, focus on the active threats in order to reduce the risk faster.
Security Awareness Program Ideas & Examples
As you start to condition users to report real phishing emails, not just simulated phishes, you’ll want to focus on malicious emails that are getting through the spam filters. In other words, base your simulations on the real attacks your company sees. This will help your users quickly spot the real thing. The goal is to build a resilient workforce that can identify and report potential malicious emails quickly. This drives down the risk to the organization, allowing the security team to mitigate the risk and avoid an incident.
You will never get to a zero click rate. Phishers are too smart. They craft their emails to look like they’re part of your normal business processes, especially financial transactions. They also constantly change techniques to avoid controls that block their messages.
So, what does this all mean when we talk about educational content?
When focusing on behaviors to improve your program, you don’t want to hit users with content overload. Instead, create a plan that includes a theme for each quarter. Use this theme in your newsletters, videos, or learning modules. However, allow for flexibility to shift if a threat could affect your organization (HeartBleed, Meltdown, etc.).
Let’s take one more example of using content to guide the user to the right path. By presenting the user with a simple banner at the moment they’re exhibiting the wrong behavior, we can direct them to take the right action. You can adjust this banner as the behavior changes. Once you curb their habits to click through to unknown sites, your metrics may reveal a category that needs to be addressed – such as software downloads.
Where Do Security Awareness Programs Belong on the Org Chart?
When building a security awareness program, there are a few key factors that you’ll want to take into account. First, as it relates to responding to your annual penetration test, do build your program to align with their findings, they will ALWAYS get in, it’s their job, etc. Second, ensure that your security awareness program is aligned to your incident response team.
Should you report to Training and Compliance or Incident Response?
If you’ve spent any time in a security awareness role you already know that the reporting alignment is all over the place. Some report into the GRC department, some into the Learning or Training department (typically under the HR function), and some into the security program directly under the CISO. Some organizations will have a first line of defense – the teams with the tactical responsibility of defending against threats to the organization. They may also have a second line of defense – the teams that provide oversight or governance for the security program. This alignment tends to be more present in highly regulated industries.
You may also find that security awareness professionals have varying experience and skillsets. In some organizations the function may be a part-time job, just one of the many responsibilities assigned to the person sitting outside the CISO’s office. Other organizations have taken the time to build a robust program, making administration a full-time job – maybe even one that requires a team and a budget allowing the team to lower risk by addressing behaviors.
You will recall the recommendation to go ask your Security Operations or Incident Response team about their top incidents tickets. If your strategy is to address behaviors corresponding to REAL threats, then it stands to reason that the awareness function should be aligned as closely as possible to the department that responds to those threats. Here’s a visualization (purely an example) of the types of risks your program might address:
A robust security awareness program should include the resources – money and people – needed to make the program successful. If you have a compliance team that manages the regulatory and audit requirements, by all means, allow them to manage the annual training requirement for cybersecurity. Just make sure you’re able to review and provide input on the topics being covered, so the program aligns to the current threat landscape. When the auditors or regulators ask you about it, you’re covered.
Cybersecurity threats and behaviors are not black and white. They are constantly changing. Most cybersecurity frameworks and regulations simply state that you should have a security awareness program. Such statements are a little vague, but that’s a good thing. Without the constraints of specific elements – newsletters, posters, phishing annual training, squishy balls shaped like phish, stickers, a security awareness portal, etc. – you get to define what to include in your program, based on the threats and behaviors you need to address.
You can’t do this alone. Yes, you may be the only one officially assigned to this task, but building your informal network and team will help you get your program off the ground. First and foremost, find a senior leader to champion your program, someone who understands the value of the program and will go to bat with their peers. This will help build confidence in your program and make it more visible.
The next group you should befriend is your corporate communications and marketing teams. This group typically holds the keys to getting your message out. That intranet page? Those teams control the content appearing above and below the scroll.
Security Awareness Metrics
The metrics can help you find the right home.
One last item that helps decide where to position the security awareness role in the organization – metrics. When the role is aligned with the governance, risk management, and compliance side of the organization, metrics relate to completing the training or to how many users clicked a link or opened an attachment. When the role is aligned with the security program, metrics focus on end results like reducing risk and reducing time to contain an incident, which in turn leads to reducing time to remediate an incident. Instead of focusing on the number of clicks you would focus on reports: how many users reported the message, so the SOC can respond to and mitigate the attack.
Wherever your security awareness program lives within your organization, when you’re clear on the metrics you can communicate better. You can market the program and its goals to your business audience, translate technical/cybersecurity concepts in ways anyone can understand – and most importantly, tell people the actions you want them to take.
Free Security Awareness Program Template & Resources
Building a program takes time and resources. If those are limited, start small and grow as your program gains credibility. Use small wins to demonstrate value to executives and then expand those resources.
If you’re just getting started on building your security awareness program, there are plenty of free resources available to you when you’re on a shoestring budget.
Cofense recognizes that you have regulatory and compliance requirements to provide annual security awareness training to our organization. To help you focus your resources to elements of your program that actually make an impact, we provide a series of modules for FREE to any organization (even if you’re not a customer).
In summary, keep your security awareness content simple with clear direction—and even better, fun and engaging—and you’ll soon be able to experience a shift in behavior!
Maintaining Your Security Awareness Program
Every day is a new beginning when it comes to cybersecurity. Threats and vulnerabilities are always changing – so your security awareness program needs to be nimble and fluid to mitigate those evolving threat vectors.
Behavior improvements are ongoing and your security awareness programs should evolve Organizations are constantly under attack as the threat actors continue to find ways to get past technical defenses of an organization, such as perimeter technologies and email gateways.
How do you keep your program aligned with the current threats?
- Reach out to your cyber threat intelligence or incident response teams. These teams are constantly researching the current threat landscape and identifying if and what impact it has on the organization.
- Download the latest white paper on cybersecurity or threat landscape.
- Read technical blogs from trusted cybersecurity solution providers to stay abreast of current news and threat trends.
- Another great resource is setting up Google Alerts for keywords: phish email, data breach, malware, cyberattack, cybersecurity, awareness training, threat intelligence.
How Cofense Can Help
Besides our free resources, we offer services and solutions that make building a security awareness program easy. Contact us today for a custom demo of our capabilities.