As in other areas of business, shared intelligence about security awareness training can help organisations improve execution and effectiveness of their programmes.
In October 2017, Lesley Marjoribanks, security awareness manager at the Royal Bank of Scotland (RBS), shared her experiences and advice during a keynote address at Wombat Security’s third annual Wombat Wisdom Conference in Pittsburgh, PA. She described some valuable lessons learned in the planning and rollout of the security awareness training initiatives delivered to RBS end users:
Take your time
Marjoribanks cautioned against rushing to launch an organisation-wide programme. Instead, she suggested taking a more calculated approach, advising programme administrators to run pilots of their security awareness and training components before jumping into a fully-fledged programme.
It is to an organisation’s advantage to schedule a few smaller-scale tests with select departments. For example, a small-scale phishing exercise could be run, to let managers become more familiar with the aspects of the tools being used and iron out any issues prior to assessing all end users.
Identify and communicate with stakeholders
Stakeholders from across an organisation should be identified and invited to frank discussions before beginning a programme, Marjoribanks advised. They need to be clear about the activities that are planned and when they will be happening. It is sensible to think beyond executives and board members and identify the internal departments that could be impacted by cybersecurity assessments and training.
For instance, IT staff are likely to be impacted by a rise in helpdesk calls, so they should be made aware of the timing of any phishing tests. In addition, legal and human resources departments should be consulted to ensure that messaging contained within simulated attacks isn’t out of bounds from a legal or regulatory perspective.
Take a ‘big picture’ approach
According to Marjoribanks, it’s to programme administrators’ benefit to think beyond the immediate when planning and executing a programme. She offered the following advice:
- Think global and There is a need to account for global audiences but also a need to recognise the importance of delivering localised content. Beyond just translating content, organisations should use regional themes and references (like currencies) because they resonate with people.
- Utilise seasonal content. Phishing tests should mimic patterns seen in the wild, and seasonal messages are part of that approach. Emails that masquerade as online offers during the holiday shopping season, or deposit notices during peak holiday times, help teach end users about common phishing scams that are perpetrated on a seasonal basis.
- Think like attackers. Don’t shy away from more difficult tests for users. Even if ‘vanilla’ messages regularly impact your organisation, adding a little more flavour to simulated attacks helps to keep users on their toes and raises awareness of more sophisticated attacks.
- Attempt to identify pitfalls proactively. Try to anticipate technical issues. Think about potential paths for “false clicks,” for example. These might be emails forwarded to third-party security vendors or administrative assistants who might click messages in executive inboxes. Doing this can put administrators on more solid footing once a programme launches.
Establish a knowledge-base for end users
Marjoribanks made the case for administrators to create easy, consistent references for end users where they can find information about an ongoing security awareness training programme.
This should not take the place of direct, regular communications to end users, she cautioned. However, creating a central repository, like an intraweb page, where end users can find answers to frequently asked questions can help take some of the pressure off IT helpdesk operators, security awareness training programme administrators, and other internal resources.
Communicate about email best practices
Sometimes perfectly legitimate emails are written in a way that make them seem suspicious. As end users begin to identify potential traps, they are also likely to be wary of poorly written or designed emails that are actually safe.
Marjoribanks advised that programme administrators should proactively advise internal departments, suppliers, business partners, and other trusted third parties about email best practices, perhaps even providing written guidelines.
Marjoribanks is an advocate for ongoing, continuous training, and she offered a few key pieces of advice about this:
- Always know your next steps. For example, be sure to follow up on phishing tests. Planning and sending simulated attacks doesn’t do much for an organisation if there are no follow-up actions.
- Recognise that improvement is not the end. Organisations need to keep training, even after click rates go down. Users can always benefit from additional cybersecurity education and practice.
- Make good use of the data available to you. Keep gathering and organising your data and seek opportunities to use that data and analysis to your advantage.
- Build a culture of security. It’s important to create a sense of responsibility and ownership with end users. Organisations should strive to keep cybersecurity best practices top-of-mind for end users all the time.
By Gretel Egan, Brand Communications Manager, Wombat Security Technologies