Security Awareness Training was a small but vibrant corner of cybersecurity until recently. About 3 years ago, cyber-insurance policies became more widespread (concurrent with a huge increase in ransomware, not surprisingly). Many cyber insurance policies asked in the first year or two if companies were conducting any proactive security awareness training of users, then making this training mandatory when the policies came up for renewal. Insurance actuaries, CISOs, and Managed Service Providers (MSPs) like Onward could see the results clearly: SAT works and would become a lot more widely used in a short amount of time.
Onward has been providing SAT as partners of many of the most widely renowned solutions for over 5 years, and we’ve learned how to help clients choose an SAT solution and what makes the good providers stand out from the rest.
Key features of an effective SAT solution
- A huge training library with regular updates
- You should not consider any SAT solution with only one series of security content, or all videos that are the same length. Major players in this field provide content of varying lengths that can be delivered in 5, 15, 30, or 60-minute training sessions depending on the level of detail you need.
- Your SAT solution should have lots of different training options: webinars, videos, games, brandable content, and more. You don’t know what will be effective with your users until you experiment, and all training methods have diminishing returns. You need to have a lot of choices to keep the training interesting, effective, and short.
- Active, targeted Phishing campaigns
- Some SAT solutions only provide training. You choose the videos your users watch; they want them and get a certificate. While this may pass the minimum insurance requirement, this is not giving you any actionable information about your risks or how effective your training is.
- Good SAT solutions provide a platform to phish your users intentionally and monitor the results. Current events, internal email spoofing, banking emails, and more can be sent by your SAT platform to see what tricks your users into providing their information or responding to a fake email from the CEO.
- Phishing reports
- Building on feature #2, good reporting must be easy to access and visually useful. The best SAT solutions make cross-referencing effective phishing with vulnerable users to target your training where it’s needed, and reward users who pass phishing tests.
- Data-driven automation
- The most disappointing result for SAT is seeing clients who implemented it once to pass an insurance requirement, then forget about it. You need an SAT solution that can be configured from the start to be autonomous, with phishing emails that update automatically and continually challenge users.
- Automated, targeted training should be easy to set up and monitor for users who fail phishing tests. Reports to management about who is in training (and who is falling behind) should all be automated.
Why we love SAT
Clients frequently ask me what benefits they can expect from security awareness training. This can be difficult to calculate, but I usually conduct something like this:
- In the past year, how many productive hours did your users lose from email-based security incidents? Calculate revenue lost by multiplying the hours by your average revenue per employee
- Onward’s Managed Services and Managed Security clients have this information already in the customer portal
- How much data was lost to email-based security incidents, and at what cost (reputation, fines, insurance, etc.)?
- Add these costs together – if they are more than your SAT solution, you should purchase and implement SAT
When we implement SAT solutions for our clients, we make sure to set up some SMART goals:
- How many users will be phished, at what frequency, and how often tuning should occur (usually every 90 days)
- Initial training goals
- Retraining parameters (for example: users who fail 2 phishing tests in any quarter)
- Rules of engagement: there is an art to phishing your own users. We like to monitor the results and see what is effective, tuning and improving the campaigns continually. Some clients like us to implement whatever we recommend for maximum phishing effectiveness, while others like the campaigns to run autonomously and training to run on a schedule. We set the rules at the outset and ensure clients know what to suspect.
- This is different for every client because corporate cultures vary. Many firms don’t even tell their users they are being phishing intentionally. In this, we need to know how to respond to service requests about phishing emails, and how hard to press the phishing campaigns. A good working relationship with the SAT administrators is crucial. Onward has vast experience conducting these, and some very skilled operators.
If SAT is implemented correctly for your firm, you should see results like this test group:
You would expect the Risk Score to go down over time, but this is not the goal. What we see here is the result of skillful administration of the SAT solution to find the firm’s true risk score. If the risk score decreases continually, your campaigns are likely not difficult enough.
Looking more deeply into the results, our groups all have different results:
Clearly some groups have higher scores, and some lower. The graphic is from KnowBe4, which is nicely integrated into Microsoft Active Directory to automate user enrollment and conveniently sort users into groups.
With campaigns configured properly, the risk scores overall converge to a True Risk Score.
Something happened in current events in March of 2020 that our test users were susceptible to phishing emails: the COVID-19 outbreak. This presented an opportunity to proactively test our users (internally and at client sites) for their resilience to inevitable scam and phishing emails.
With this information, we can set up clear and targeted training campaigns that automatically enroll anyone who fails a phishing test. This relieves the burden of tracking down users who did their training and who failed the test and takes the guesswork out of your user-based risks.
With so much sensitive information at the hands of users, it’s critical to make sure they have the training they need to stay safe online. A good Security Awareness Training solution is key to ensuring that happens and security doesn’t get pushed to the back burner by your users.