security awareness and training best practices by wombat security
TRANSCRIPT
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
Best Practices for Security
Awareness and Training
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
• The evolution of security awareness
and training
• Components of effective training
• Our Continuous Training Methodology
– Steps: Assess, Educate,
Reinforce, Measure
– Best practices for engaging end users
and structuring your program
• Our Learning Science Principles
• Next steps
What Will
You Learn?
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
• Traditional security programs have relied
heavily on annual presentations and videos
• Many efforts have been reactive rather than
proactive (e.g., warning emails from IT
departments)
• With these methods proving ineffective,
CISOs are exploring other awareness
and education initiatives
The
Evolution
of Security
Education
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
The Evolution of Security Education
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
The first goal of any security awareness
and training program should be improved
knowledge and behavior, not just
awareness.
• Security awareness alone is not sufficient to
improve end-user security posture
• Users must understand and know how to
respond to potential security risks
What Is
Effective
Training?
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
What Is
Effective
Training?
Presentations, slide-based training,
simple quizzes, and videos inform — but
don’t educate — end users. As such, they
don’t help users understand risks or
change their behaviors.
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
What Is
Effective
Training?
When users can understand the context
of their behaviors, practice through
simulated situations, and receive
immediate feedback, they can make
better decisions and reduce risks.
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
What Is Effective Training?
Real-life examples and immediate feedback enhance
learning and retention, allowing users to understand
and correct their behavior.
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
Truly effective training can improve your program’s results
What Is Effective Training?
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
Continuous Training Methodology
A foundation for success: 360-degree approach to security
awareness and training
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
Get a baseline of your end users’ knowledge
Assessments: CyberStrength® Knowledge Assessments
• Gauge end users’ knowledge of security topics, including your
security policy
• Create a broad assessment on multiple subjects or do a highly
focused assessment in a particular topic area
• Use pre-written questions or ask your own
Continuous Training Methodology
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
Get a baseline of your end users’ vulnerabilities and
motivate users to complete training
Assessments: Simulated Attacks
Understand your most vulnerable threat vectors:
• Email Phishing Attacks with PhishGuru®
• SMS Text Message Attacks with SmishGuru®
• USB Drive Attacks with USBGuru®
Continuous Training Methodology
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
Any employee who falls for a simulated attack is automatically
presented with a Teachable Moment. This is not considered
training, though many of our competitors believe it is.
Continuous Training Methodology
Send Simulated
Attack
Teachable Moment
Delivered
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
Educate your users and change behavior with true,
interactive training modules in a variety of topics.
Continuous Training Methodology
Wombat Security uses Learning Science Principles in every training
module to engage users and increase learning and retention.
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
Use Security Awareness Materials
to help your end users retain
knowledge.
• Choose from a selection of posters, articles,
images, and gifts
• The materials remind your employees about
the security principles they learned during
in-depth training
Continuous Training Methodology
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
Measure improvement using 15+ reports.
• Review detailed information from assessments and training efforts.
See data about:
− Who completed which assignments
− Who fell for specific simulated attacks
− Which concepts employees understand well
− Topic areas of weakness
− Improvements over time
• Reports can be exported and shared with interested parties
Continuous Training Methodology
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
For Best Results, Repeat the Cycle
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
Suggested CyberStrength Reassessment
Schedule:
• Quarterly or biannual assessments allow you
to continue to measure improvement from the
baseline.
• When you aren’t performing a broad content
assessment, we suggest focusing on seasonal
issues, as in the following schedule:
− Safety on the Internet:
August – October
− Anti-phishing: November – January
− Compliance: February – March
− Mobility and travel: April – July
For Best
Results,
Repeat the
Cycle
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
For Best Results, Repeat the Cycle
Suggested Simulated Attack Reassessment
Schedule:
• We recommend conducting ongoing simulated
attacks at least four to six times per year. Many
of our customers send out monthly simulated
attacks.
• If you plan to employ a continuous cycle of
simulated attacks and use Auto-Enrollment
(the automated scheduling feature within
PhishGuru), we suggest assigning only one
training module per Auto-Enrollment and
varying the training.
Best
Practices
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
Suggestions for Targeted
Training Assignments:
• Mandatory Mobile Device Security and
Mobile App Security (future) training for new
BYOD registrations.
• Mandatory training following any device
infections.
• New hire assessment and training to gain a
baseline of knowledge, and basic training as
they enter the organization.
• Security Essentials is a great starting point or
refresher for employees.
Best
Practices
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
Keep Your Efforts Engaging and Fun
• Rewards for trainees with the highest scores
or who complete their training most quickly
• Create a competition between
departments/groups for first dates of
completion, training module scores, or
assessment scores
• Elect a security champion within each
group/department who provides on-the-spot
recognition for employees exhibiting the right
security behaviors
Best
Practices
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.
Visit us at WombatSecurity.com
to learn more about:
• Security awareness and training
• Our Continuous Training Methodology
• Learning Science Principles
• Customer results
• And more
Next Steps