Minnesota Cybersecurity Awareness Program – How To Build

91% of all cyber security incidents begin with the end user. The employee sitting at their desk trying to perform their job clicks on a link in a phishing email, or answers the phone and responds to a social engineer attacker, or they pick up a USB drive in the parking the lot and plug it into a computer that’s connected to the company network to scratch that itch of curiosity and see what’s on it. When the end user, the employee, is breached – the company is breached.

The best way to prevent the beginning of 91% of cybersecurity incidents in your business is to provide security awareness training to everyone in your company. In this article, we’ll explain how you can build a successful awareness training program, get people engaged, influence company culture, and best of all reduce cybersecurity incidents. To get there we’ll explain the what, who, how and why’s of awareness training, where security training fits into defense in depth, and what best topics to include are that will exponentially reduce risk.

What is Cyber Security Awareness Training?

Before we dive into how to provide great awareness training, we really need to examine exactly what it is we’re talking about. Let’s start with determining the scope of the training.

‘Cyber‘ means digital assets within your business. Cybersecurity focuses on the information that is transmitted and stored within computer systems and networks. This includes the data on the laptop the employee works on, and sometimes includes the scope of the entire physical laptop because it is a protective barrier of the data inside. It also includes the routers, switches, Internet, firewall, email, applications, mobile devices, and often times the phone systems.

There are many security vectors that need to be covered to protect your company against outside threats that are beyond the scope of ‘cyber’. These include physical access to the building, wiring closets, badge systems, and surveillance systems.

Should you provide “cybersecurity awareness training” or “security awareness training“?

To answering this directly, we recommend you partner and include all the groups required to provide comprehensive security awareness training that covers all the security vectors that employees should consider. In addition to cybersecurity these often include:

• • Physical security
  • Legal
  • Marketing
  • Privacy
  • Compliance
  • Human Resources

There are some exceptions due to the separation of the departments that make it hard to converge training. This might also include companies that are a large size or have so much training they need to cover that they break it up in ‘cyber‘ modules and ‘physical‘ modules. But again, if you can, we recommend you take the time and effort to combine this training because of several reasons:

1. 1. 1. You have the employees attention
      2. It’s less confusing to them
      3. The physical and cyber areas often overlap and complement each other
      4. Training time and material can be reduced when combined
      5. This equals cost savings and time savings

In summary, a great security awareness training program includes all the aspects of security that employees need to prevent a data breach or any other threat to the company or personnel. By taking the time to partner with other departments on an ongoing and annual basis you can build a great awareness program that is comprehensive and complimentary and equips employees to be successful. Now lets’ talk about who this training is for…

Who

Who should attend or participate in security awareness training? Sometimes it’s believed this training is only for the general employee population and the leaders are smart enough to know this stuff. I do believe some are smart enough, smart enough to know that spending a little time to review the threats and how to prevent them can pay dividends to the companies bottom line.

Everyone that has access to your building, equipment, and computer systems should participate in security awareness training. This includes leaders, employees, part-time and full-time, contractors, maintenance workers, security guards and others including:

• Vendors
• Consultants
• Partners (maintenance / support)
• Marketing partners

Specific Groups

This doesn’t mean they all need to take the same training. Sometimes different groups have different levels of access that can constitute for less training that is aimed at only the risks that are included. Sometimes this can also mean additional training for groups that have access to systems that are higher risk, include additional threats, or include privileges that could be exploited. Groups that we constantly see higher risks with include:

• Identity and Access Management
• System administrators
• Accounting and bookkeeping
• Controllers, and access to wire transfers
• Human resource, access to pay, medical, and personal information

Some groups have a lower associated risk, or because of their relationship, cannot participate in the full security awareness training. They should be engaged with and provided with expectations they need to review and provide an attestation for. For vendors, I’ve historically made a one-page document that can be printed in duplicate and reviewed in person with the vendor when they arrive in under five minutes. At the end of the review provide an opportunity for questions and clarification. then have them sign the document and provide it to HR of vendor relations for retention. There are cases when after reviewing a document with a vendor they agree but do not feel comfortable signing the document. I feel it’s not cybersecurity’s role to force anyone to sign anything if they are not comfortable. We are in cybersecurity to protect privacy and rights, not to burden people. So when that happens I recommend you just write the person’s name on the document along with the date you reviewed the form with them and file that. If a high attestation, via signature, is required, this needs to be supported by legal vendor agreements and this expectation needs to be set from the beginning of the relationship. This will require legal, leader, and vendor relationship support.

When security awareness training is done right, everyone is included and is presented with the information they need to perform their role successfully and protect against security threats. Everyone should perform a general security awareness training that includes a scope of threats and risk pertinent to everyone. In addition groups with more access to sensitive data, systems, credentials or personal information should be equipped with additional training that continually lowers the risk of this high-risk area being breached.

Attestation

When today’s security breaches are investigated, and it’s discovered that an employee was responsible, the investigator next objective will find out if the employee was trained on the proper security methods. If they were trained, and that can be proven via security awareness training attendance records, then the company will often not be held liable and instead, the employee can be personally be held responsible. But if it’s discovered the employee was never trained how to prevent the attack attempt, or if there are no admissible records, then the employer will be held responsible for the breach. Because of this, it is critically important to have a log of who attended training and when. In addition, once the training is complete ask if anyone has questions or objections. Once all questions and concerns are addressed have the employee sign an attestation that states they have completed the training, they understand it, and will do their best to use this training to protect the company.

When

The ‘when’ is probably the most under asked question and consideration when it comes to security awareness training. Most companies just add it to the agenda of checklists at the beginning of the years. To get the greatest return on security awareness training is important to consider when this training is provided.

Season of Risk

The first question to ask when asking the ‘when’ to provide security awareness training is to ask the question, ‘what is the highest risk time for our company that we have the great number of threats or attacks?”

Retail = From Black Friday to Christmas

Financial = First of the year to April 15^th

Ice Cream Shop = Summer

Based on historical incidents or a quick tabletop exercise you can quickly discover if there is a season of higher threats. Security awareness training should always be provided just before the highest risk season so that the received training is on the top of their minds and fresh. This has the greatest return on investment.

Newly hired

Onboarding new employees is a critical time to provide security awareness training and introduce them to how your company protects its assets. This not only equips the new hire but strengthens the company culture and shows how your business values security and the people you serve.

The only disadvantage of providing training at this time is it can be washed out by all the other training during this time and the employee’s excitement to start the role. A couple of things you can do to help with this provides them specific allowance just for security awareness training, so nothing else distracts them. Include quiz questions that are hard enough they require digestion of the material to answer correctly. Lastly, follow up on new hire security awareness training with a one on one time with information security representative. Have the security representative congratulate them, encourage them, and discuss the importance of their role. You can solidify the security message here, but more importantly, build a relationship with them. This relationship will greatly promote the importance of security and associate a person with it, not just a policy. It makes it personal and only takes a few minutes.

Outside Checklists

Another consideration on when to perform security awareness training is when other training modules or required material reviews are released. Try to separate security awareness training for other ‘checklist’ like training modules that are released. This will reduce the pressure on the employee to ‘crank’ through it and get it all done. It helps reduce the ‘checklist’ mentality.

Specific Groups

For specific risk areas for individual groups, the training should obviously be performed after the general training, but it should be performed two weeks to two months afterward. This will help reinforce the original training and create a security culture that encourages the retention of learning. Often this follows up training is done in person and only takes a small amount of time. As we discussed in the ‘who’ section, including time for Q&A during this session. Our experience is you’ll often get questions that relate to the general training. Write these questions down and use them for the next section.

Frequent & Often

There is a mantra in security awareness training around the ‘when’ question. It’s ‘frequently and often’. In an ideal security world, we would scan the employee brain for full comprehension of security material every time they show up to work or log on to the computer, that’s just not possible (yet!).

So to provide training frequently and often we recommend you follow up training with a security newsletter, roadshow, or open house.

Security Newsletters

The best thing to include in a security newsletter is a personal story of someone who recently experienced a computer security threat. This could be you, an employee, someone you know outside the company, or even a link to a news story. Ideally, this story will be personally applicable. What I mean is when you equip employees with security information they can use in their personal lives, it becomes personally applicable to them. They are much more likely to read it, digest it, consider how to prevent it, and share it.

Another great area you can include in the newsletter is an area of questions you’ve received about security. (Remember the last section in Specific Groups). Take the questions you’ve received and address one or two of them to everybody. Leave the original person anonymous. Answer it in a humble way that expands on the training and shows how you can understand that it can use more explanation and detail.

One of my favorite things is to include an Easter Egg. Have a challenge that employees can engage with to win a prize. Here are some ideas:

• • Leave a door unlocked or cracked open.
  • Leave a USB drive in the parking lot
  • Have someone walk around the building without a badge

Some people will not participate in these challenges, but it will still get their mind going and they will still be looking at them, they just won’t report them as the majority of people who want the prize. Honestly, I’m always surprised what people will do to win a prize. Leverage this in your security awareness program.

Providing training at the right time, with the least distractions, and complemented with a regular frequency can greatly increase the security culture, improve learning retention, and ultimately lower the risk to the business.

How

Now that we’ve covered the what, who, and when, we’re going to get into the meat of security awareness training and cover the how.

This is not security policy training. It’s security awareness training. That means, you can point them to the policy but don’t talk about it in depth. Talk about the things they need to know to reduce the risk of a breach while performing their role. This will include:

• Social engineering
• Phishing
• How they can use company resources
• How they should handle company data correctly

Lead with Leadership

Security awareness training should be lead by a statement from leadership on how important it is, and how it supports the business and protects the company brand, assets, employees, and clients. A statement from leadership shows the top down support and really promotes security. It shows that it’s important to them too, and even someone as busy and important as C-level executives take the time to perform this important training. One important theme we’ve seen growing over the last few years is that security is everyone’s responsibility.

To make it easier to gain this leadership support statement you can provide them with an outline or template of the statement you’d like to use as a company-wide introduction for the training.

Example Statement from Leadership:

“Security is everyone’s responsibility at (company name). Without us actively paying attention to the threats that face our company we put our company, employees, partners, and clients at risk. If we fail at security it could cost our company (x amount), and even threaten the future of our business.

“Because of that, I’m asking everyone to take the time to complete the security awareness training. I’m actually asking more than that, I’m asking everyone to take the time to understand, practice, and implement what you learn from the training. I’ve personally completed the training and I can tell you it is extremely valuable. The threats against our company are changing and I need you to be prepared and equipped to identify, defend, and report these attempts.

Thank you for making the security of our company a priority.

Signed – C-Level Big Shot “

Email the invitation and agenda

Ideally, the next day after the email from leadership, follow up with an invitation to take the security awareness training. If this is an online module include a summary and the hyperlink. If this is classroom training, then sent a calendar appointment with when and where. Include a brief agenda of what the training will include. Again, it’s important that this invitation ride fresh on the heels of the leadership support email.

If you’re staging training into groups, then the leadership support email should be staged too. Schedule the release of the booth of them to coincide with each other.

Email a reminder and expectations

If you’re hosting a classroom training, send out a reminder email a few days before training. Because the initial email invitation was probably sent two to four weeks out so that the majority of people had availability on their calendars, it’s import to remind them this is coming and preemphasis its importance.

Here is also a place to plant a seed on the consequence of not attending the training. You don’t want to come across as a disciplinarian, but you do want to communicate that they can’t just skip training and expect to never be bothered with it again. It’s required and everyone will need to complete it before a certain date. A recommended way to state this might be, “If you’re unable to attend training during this time please notify us as soon as possible so we can get you a spot in the next training session as everyone needs to complete this training before the end of the month.”

What to Train

Everyone is here and has a smile on their face because they excited, supported by leadership, feel like they’re doing something important and there are free coffee and donuts (hopefully). Now what? Here’s a recommended curriculum of training modules that should be covered to equip employees on how to protect the company against security threats.

1. Social Engineering is when an attacker obtains sensitive information by manipulating people. The key word here is ‘people’. It is a person to person attack to gain information. This can be in person, over the phone, email or text. I’ve attached a one page Social Engineering Wiki that contains what it is, how to detect it, examples, and how to report.

2. Phishing is when an attacker tries to gain information or gain access to a system through email. This can be done by getting the person to respond with information or company data (overlaps social engineering), or by attempting to exploit the machine by exploiting security vulnerabilities like malware or remote access.

3. Data Classification & Handling is an explanation of the different types of information your company has and how each is rated in sensitivity and confidentially. In addition, it equips employees on what they can do with that data and how they can share. It equips them with the right tools, applications, and processes to store and transmit this data securely.

4. Acceptable Use of company equipment and resources. This guide will typically cover what types of websites they can visit, when and how they can spend personal time at work if they can use the Internet on their personal devices. The purpose here is to draw a line of how they can engage in personal interests and activities on and at work property.

5. Identification, Badges and Visitors Guide will provide expectations if and how company identification, such as badges, need to be worn and displayed and used. The guide will also cover if an employee can have visitors and if so what the process is to schedule a visit and what’s allowed while they are onsite.

6. Security Policy Highlights will cover a few topics from the Information Security Policy that are important to review and provide instructions for. These often include mobile devices and media including removable media like USB drivers. It will also highlight if and how remote connections to the company network can be made. What the current password requirements are and tools to create a good password, and what is not a good password (Summer2019!).

7. Company Rights will cover what legal rights and obligations your company has to ensure the protection of information about its business, clients, employees, vendors, and partners. Employees should have no expectation that any information they create, access, or transmit is private. Also, provide expectations on what will happen to the data after employment has ended. Specifically, if the employee cannot remove data from the company, here is the place to spell that out clearly.

8. How to Report is a critical step and a perfect way to conclude training. With everything they’ve learned and been equipped with you will need to tell them how can they escalate and notify someone of a security issue or incident. Also, address if you will employees to be allowed to report things anonymously and if so how.

9. Resources is something you can equip them with to refer to all this information later. We recommend setting up a security portal such as https://security.yourcompany.com where you have all this great security awareness material documented and available to everyone for reference. Think of it as a one-stop shop for security information. Questions, guides, policies, procedures, frequently asked question and instructions on how to report an incident. Here they can download PDF guides on Data Classification and Handling or Acceptable Use. It’s a great idea to equip everyone with something to remember this resource, like a magnet, sticker or stuff animal holding a sign with the link on it. You’re welcome to get creative here and really weave your company culture into it.

Group Specific Training

Now that the general security awareness training has been completed, it’s time to review what groups need specific additional training and schedule that. Perform additional training directly with the group. Take the time to understand the specific threats, and prepare training that is comprehensive but as brief and direct as possible. Be short and to the point. Meet with the manager of the department and set up a time to visit their next team meeting and talk through your training in five minutes and allow five minutes for Q&A. During this time with the manager get their support and ask for them to support you and help create a positive atmosphere, In return, you’ll be brief and only focus on the things that are critical for them to understand and execute on.

Where

‘Where’ training takes place is probably the least important question. Has taken the shape of an online curriculum. Can be done in onsite in a classroom. Some people even justify sending people to outside training due to the lack of resources within the company. I advocate training be performed on-site, within the company, and by someone that’s a part of the security organization. If your company doesn’t have an information security organization, bring in an outside security awareness trainer that can be become familiar with your company culture, values, and specific risks and provide a positive atmosphere that still enables employees to get connected to the right resources once they are gone the end of the training.

The most important thing to consider for the ‘where’ is a place they are comfortable and can focus on the training.

Summary

Security Awareness Training is one of the first things I look for when consulting with a client that wants to protect its company against cyber threats. It’s where you can get the greatest return on investment for protection. It’s the biggest backdoor vulnerability behind all the technical controls. Having a great security awareness training program doesn’t have to be hard, but it does take thought, time, and partnership. Once your program is built it then takes less effort to maintain and update. If you include the resources we’ve provided here, you will have a great security awareness program and can be confident that you’re investing in greatly reducing the risk of an attacker stealing critical data from your company.

Pilot Program – OFFER

Workshop: User Security Awareness Training

Right now, we’re developing a user security awareness training workshop and looking for pilot clients to partner with us.

• Develop your own internal awareness training
• Save money year over year by hosting your own
• Built specifically for your business and your unique risks
• Reduce time by focusing on what matters the most
• Increase the effectiveness by making it personally relevant

If you’re interested in participating in the pilot program and getting a discount of about 60% over the cost by working with us to improve our process contact us today to set up a conversation.