YYBC: Don’t lie to your users about compliance
2014 was PhishMe’s 3rd year at RSA. Our growing team allowed me to steal a few hours away from the Exhibit floor and attend some excellent sessions. While many of the sessions I attended related to PhishMe’s offering I also made it a point to take a break and enjoy some fringe topics. A talk entitled: “The Dark Web and Silk Road” with Thomas Brown, Deputy Chief for Cyber, U.S. Attorney’s Office of Southern New York was a fascinating view into how Bitcoin is used in illicit underground marketplaces. The presentation was well-done and a great play by play about how the man behind Silk Road was unmasked and arrested.
Another presentation that really stood out: “Cognitive Injection: Reprogramming the Situation-Oriented Human OS” with Akamai CSO Andy Ellis.
Andy’s session was great, and brought up some points about human behavior and awareness that ring true at PhishMe. Andy made an excellent and much-needed point that you shouldn’t lie to your users about compliance-mandated training. While fulfilling compliance requirements is a necessary exercise for many organizations, trying to mask compliance material as training to employees as a beneficial or enjoyable process is great way to get them to check out of all security training. Employees will sniff out compliance-driven training, get irritated, and complete the training as quickly as possible. Andy advocated letting employees know when material is fulfilling a compliance requirement, empathizing with them and apologizing for the interruption, and making a point to let them know you’ve made this “training” as short and painless as possible. Once you’ve set that tone, employees will be more receptive to awareness topics that are driven by actual security concerns that confront the business.
When we started PhishMe, we wanted to avoid being associated with compliance. Security awareness training has made the mistake, in my opinion, that compliance can be fun, and consequently people feel lied to about compliance. We wanted PhishMe to be viewed as something that improved our customers’ security posture, and was worth using on that merit, not on its ability to help fulfill a requirement that employees view as a nuisance. It was a point of pride that customers were using PhishMe strictly to improve security – not meet compliance requirements. However, compliance is a reality for our customers, and we received enough requests from customers to help them deliver compliance messaging that we decided to incorporate specific compliance-driven content into PhishMe (see screenshots).
Our compliance messages are in line with Andy’s recommendations. Using PhishMe’s Announcements function, administrators can send a simple message about compliance requirements and provide a link for employees to acknowledge viewing the material. The technical term for this is YYBC, formally known as: yada-yada box-check, move on with your day. As the nearby screenshot shows, the message is as straightforward and succinct as possible. PhishMe then provides a report demonstrating that each employee has acknowledged the material.
Delivering compliance messaging in this manner allows you to focus awareness efforts on improving behavior and addressing true security concerns, as Rohyt discussed last fall.
It’s been great to see the increased emphasis on the role humans play in enterprise security at conferences like RSA, and having a prominent security mind like Andy Ellis promote a shift in mindset around compliance training is a positive step. Do you agree with this honest approach to compliance training? Have any of you implemented compliance training like this at your organization?