10 proven security awareness tips from Osterman Research

Chris Sienko: Hello and welcome to another episode of the Cyber Speak with InfoSec Institute podcast. This week we present a rebroadcast of a recent webinar entitled 10 Proven Security Awareness Tips to Implement Now. Your speakers today are Michael Osterman, Principal Analyst at Osterman Research and Lisa Plaggemier, Chief Evangelist at Infosec Institute. In this webinar, Michael and Lisa will teach you how to increase your training participation and long term awareness goals, customize training content and frequency to better engage employees, and drive lasting behavior and cultural changes. Just as a reminder, if you'd like to see this webinar as it unfolds, including presentation slides, you can also find this podcast as a video on our YouTube page by searching InfoSec Institute and visiting our YouTube channel. This webinar is about an hour long, so without further ado, here are along with moderator Camille DuPuis from Osterman Research, Michael Osterman and from InfoSec Institute Lisa Plaggemier.

Michael Osterman: I'd like to thank everybody who's with us here today. Really to understand more about security awareness training and how you can implement it in your organization now and really get some value out of it. So just a little bit more about Osterman Research so you understand our perspective in all of this. Our practice areas really include everything around the way that people communicate and collaborate and so security is a primary focus area for us. We do a lot of primary research and we'll be presenting some of that here today. But our goal is to understand how people deal with communication and collaboration issues. And security is a critical issue in that because it affects virtually everything that we do. The companies about 18 years old and we're based near Seattle.

So, lets get into some concerns. We did a survey recently of IT decision makers with a security focus and what we wanted to find out is what are they really concerned about in the context of protecting their users, protecting their data, their networks, their organizations, and so forth. And not really surprisingly a breach of sensitive or confidential data is really a top concern for the vast majority of decision makers. People who are charged with really protecting users and protecting networks and protecting the really valuable data assets that organizations have. And very closely related to that are protecting from things like phishing attacks. We find phishing is a very common mode of attack for cyber criminals and I'm sure everyone here on the call has experienced a number of different phishing attacks. Some very crude attacks, the Nigerian 419 scams, all the way up to very sophisticated spear phishing and CEO fraud types of scams. Again, these are really top of mind issues for security decision makers, also of great concern are things like ransom ware or targeted attacks, zero day exploits, and the list goes on and on.

There are a lot of moving parts in the context of security and virtually all of these can be dealt with to some extent by security awareness training and for many of them they can be dealt with primarily through security awareness training. This we'll get into here in just a bit. But there are really lots of things that decision makers are concerned about and we see these things becoming more top of mind over time. For example, things like crypto currency mining malware. Today only 27% of IT decision makers consider this to be a really major concern for them. We see this moving up the list over the next six to 12 months. And again, this is another issue that can be dealt with, to a large extent, by good security awareness training. Things like malvertising, drive by attacks, employees surfing websites that violate corporate policies, these are all issues that to a large extent can be dealt with, not completely but to a great extent, through really good security awareness training.

So a number of things have already happened. We did this survey a couple of months ago and we asked you, what has happened in your organization over the last 12 months? And what we found is that a successful phishing attack, that had actually infected systems with malware, was the most common type that had occurred. 28% of organizations reported that this had actually happened. And these are not just the phishing attacks you see where nobody clicks on a link or opens an attachment, these are things that have actually happened to an organization and the network has somehow been infected with malware. Some sort of a targeted email attack launched from a compromised account within the organization had successfully infected an end point with malware. Happened in 25% of the organizations surveyed.

Maybe some sort of a data breach, sensitive or confidential information was accidentally leaked through email. Again, 25% of organizations reported that over the last 12 months. I won't go through the entire list but you can see that a lot of different things happened and what was particularly interesting to us is the bottom line here. 35% of organizations reported that none of this has happened. What was really interesting, in a couple of respects, we think this number is probably too high. There are a lot of organizations that probably aren't willing to report every piece of dirty laundry that happens in the organization, every data breach, every successful phishing attack that end up in a malware infiltration, that kind of thing. So we think this number of none of the above is probably a bit too high.

The second issue you have to consider is that for a lot of organizations, they may not know they've been breached. Dwell time, the time between the point of infection and something actually being detected as having happened, ranges from anywhere between 49 to 150 days, depending on whose statistics you believe. But dwell time is a real issue. In the old days the bad guys were very noisy, they'd infect your machine, you'd know it right away. Today, there can be an infiltration and the goal of that infiltration is very often to snoop around, to launch some sort of attack at some point in the future. They're looking for things like the CEOs calendar or they're looking for the wire transfers that occur in the organization. They're looking for the amounts and the organizations to whom you transfer money and so forth. They're looking to compromise email accounts so that they can do account take overs. And there really are a variety of things that require significant amount of reconnaissance by cyber criminals. And so they're looking to infect an organization with malware but then remain very quiet for as long as possible so that they can launch other attacks.

So, the bottom line here is that the none of above figure is probably too high. There are a lot of organizations that have experienced a lot of these different types of attacks and may not even know it yet. And so that's one thing to consider in your own network. Look for things that are suspicious, IP addresses that have hit your network that you don't know anything about. Maybe process that are going on that you know nothing about and so forth. One of the things we wanted to find in our research as well was how are things changing over time? You talk to virtually any organization, whether they're a mom and pop organization to the largest enterprise and they've all invested something in security defenses. Whether it's something as simple as antivirus software on the desktop or very sophisticated web application firewalls, secure web gateways, just the whole panoply of solutions out there designed to protect users, and networks, and data.

What we've found; however, is that phishing and spear phishing are actually getting worse for a lot of organizations. We found for example that over the last 12 months, phishing has actually gotten worse. There's been an increase in phishing attacks for 45% of organizations. 50% of them told us that things are staying the same, they're just not getting any better. In the context of spear phishing, 28% reported things are getting worse, 63% reported that they're not getting any better. So despite the millions, tens, hundreds of millions of dollars that organizations have spent on anti-phishing and anti-spear phishing and anti- lots of other things, these problems are really not getting any better. Organizations are still experiencing lots of attacks and for many organizations they're experiencing more of them over time. So the overall outlook really is not very good for a lot of the organizations despite the very large sums they've spent on these various technologies.

Now, one of the things that we wanted to explore in the recent survey that we did is really to understand how well security training does versus physical infrastructure. And what we found in every case is that when organizations were asked to rate things on a scale of one to seven, with six and seven being well and extremely well, we found that technology based solutions with physical infrastructure that they've deployed, whether it's on the desktop or at the server, or at the gateway level or in the Cloud, it's working better than the security training that they've implemented. Now, when we're looking at things like end points compromised by botnets or employee surfing websites that they shouldn't be at or ransomware attacks. What we find is that the technology based solutions that have been deployed, are actually working better than the security training and the first conclusion you might draw from this is well, security training isn't very effective.

But as we'll get into here in just a bit, what we found is that security training is just not adequate at most organizations. And if you were to compare security training versus the technology infrastructure that's in place, the security trainings is really lacking in many cases. As well get into here in just a moment, it's not frequent enough, it's not good enough. Organizations just have not invested very much in the training aspect of their security infrastructure as they have on the technology side. And that's something that needs to change. So, bottom line what we're finding is that yes, security training doesn't look to be as effective as technology infrastructure but organizations haven't invested nearly as much in it in security training as they should.

So one of the things we also wanted to find out is can users really recognize threats if they are presented with a phishing attack, a phishing attempt, if they're presented with some sort of spear phishing email, can they really detect this stuff? Well, IT decision makers think that yes, users are fairly well equipped in many cases. 45% said that yes our users are well equipped to deal with phishing, 39% said they're well equipped to deal with spear phishing. And while that looks good at an initial glance, the vast majority are either poorly equipped or just moderately equipped to deal with this. So, most users really just are not that good at detecting phishing and spear phishing unless they have adequate training to sensitize them, to what these things look like.

Now, virtually all of us can spot a very crudely worded phishing attempt with a lot of misspellings and so forth, those are easy to detect. What we're finding over time though, is that phishing attempts are getting more sophisticated. The logos are right, the spelling is right, the context is right and so forth. And so over time these kinds of phishing and particularly spear phishing attempts, are getting much more difficult to detect. And so we would expect all other things being equal if security training doesn't improve, the well equipped bars are going to be dropping over time as cyber criminals get more sophisticated and as they just simply get better at sending out phishing and spear phishing emails that are designed to trick users.

Camille DuPuis: Now, Michael, Lisa, I think it would be interesting at this point, I'm going to open up a poll and ask our attendees, what do they think as far as what percentage of their employees or colleagues, do you think are capable of correctly identifying a phishing or a spear phishing attempt? So we'll get-

Lisa Plaggemier: Before we take a minute for people to register their thoughts on that poll, another thing that I thought was interesting on the previous slide where we talked about security training versus technical infrastructure, I'd be interested in hearing from people if they wanted to chat it to us, or enter it as a question, or just make a statement, about why they think that is? Is it that people don't have a lot of faith in their users ability to recognize phishing attempts? Is it the quality of the training that we're putting out there as an industry? Why is there more faith in the technology than human? Is the technology just better than human, a lot of the technology is implemented by humans and they're a fair number of incidents that are the result of the technology not being properly implemented or configured. So I'd be interested if people have comments that they want to share with us about that as well. I think that would be interesting, to give us more insight.

Camille: Yeah.

Michael: Yeah, I agree. I think it would provide some very useful insight.

Camille: Now, looking at the results, we're a little bit split here. So, some people have said they believe zero to 20% could correctly identify a phishing or spear phishing attempt. More of our audience said they believe 41 to 60% thought that they could identify a phishing attempt. So that about 50-50. It's interesting to see, that aligns with Michael's thought there that people are moderately equipped. That's right in the middle. So, pretty consistent with that.

Lisa: It would be interesting to know how that corresponds to companies that are running mock phishing programs and those that aren't. Because you would hope, the results of running a mock phishing program would be that your users would be better equipped. But I don't know that, that necessarily [inaudible 00:14:50].

Michael: I was just going to say, I think part of it too is that there's a pretty wide range of, for lack of a better term, the quality of training out there. It's not necessarily the training that's bad, but it may be a lack of confidence in some training regiments that organizations have gone through. And so, security related decision makers really aren't pushing it very hard. They might have security training as a check box, but that check box may not really meet the needs of the organization and the individual users.

Camille: Sure. And I think a reason for this phishing attempt is Michael you touched on it earlier, the sophistication of some of these new attempts, it really can be quite tricky and quite believable. Looks like we've got a comment here that says, "I believe it's a lack of policies established within organizations to properly equip users with training. Funding is easier to obtain with a physical item over software or training." I think that's an interesting point.

Michael: That's a very interesting point and I would agree. I think it's if you're a Security Manager or what have you, and you go to your board and say you want money for infrastructure, for Cloud services, or on premises infrastructure, whatever it is, I think you'll have an easier time getting funding for that than you might for security awareness training because I think there's a lot less known about it. And users tend to be more of a wild card if you will then known vendors of security technology.

Camille: I think that's really interesting to think about and I know you'll touch on it later but also about getting that backing from other people, maybe executives to do this kind of thing, I think plays a role in it as well.

Michael: Mm-hmm (affirmative), very much so.

Lisa: Yeah, it's interesting because the comments about funding because in general I think, in my personal experience, the budget needed for training is usually much smaller than the price tag for a lot of the technology solutions. And like I said, so many of those technology solutions rely on humans to install and configure them, it's important the folks doing that work have the right training as well.

Michael: Another thing we wanted to find out from the survey is the level of confidence that security decision makers have with regard to their users. And while the previous slides show that security decision makers think their users are fairly well equipped, this really gets more into the detail. What we found is that when security decision makers were asked to rate their users, the users they're in charge of on a scale of one to 100, where one is not at all confident and 100 is very confident, their confidence level was really not very high. It came out at 64 in the context of employees being well trained to deal with phishing, the same for senior executives not clicking on spear phishing links and employees not clicking on phishing links were even worse and employees being inherently capable to be able phishing without training even worse than that.

So what we're looking at here is if you look at this and think back to your school days, at best, these are D's. These are really not very good scores. So bottom line is IT and security really don't have a lot of confidence in their users ability to act as a security firewall like they really should be considered. And without training, confidence in users ability to deal with phishing and deal with especially spear phishing, it has to be more sophisticated is actually even lower. Bottom line is there is just not a lot of confidence in end users to be able to deal appropriately with phishing and spear phishing like they really need to be.

Camille: I think it's interesting in the beginning how people, where you had talked about you think the number was too low of people who reported that this had not happened in their organizations, yet they don't have confidence in their users to not fall for a phishing attempt. So it is interesting like you said, maybe some organizations are not reporting all of these attempts as they should be.

Michael: Mm-hmm (affirmative). And I think part of it too is that it may be that IT doesn't even know in every case. There's a lot of personal infrastructure used in most organizations, a lot of home computers, personal laptops, tablets and so forth and there may be infections that occur on those platforms that IT knows nothing about. Now it may eventually work it's way into the corporate network but if you look at the typical home user for example, they probably don't maintain their anti-virus defenses, that base level of security, at nearly the level that you find IT would maintain corporate resources at.

So one of the things we looked at too in the survey was the different approaches to security that organizations are using. And what we found in the context of security awareness training, the approaches really are quite varied. Now, some organizations will use the break room approach where they'll gather employees in the lunch room or break room periodically, and talk to them about security. Maybe remind them to be on guard against phishing attempts and so forth. A lot of organizations use the monthly security video approach, where they send out a video or you show a quick video on what to guard against. Some organizations use the phishing test approach. Some are using the human firewall approach where you're treating users as really this defensive line against security threats. And we found about one in 20 organizations does absolutely nothing at all. They don't have any kind of security awareness training either when the employee joins the company or maybe once a year and so forth.

So, what we discussed earlier in the context of security awareness training not being nearly as affective as technology based solutions, this explains part of that. That the approaches to security tend to be lacking in many cases, a lot of organizations are doing very little in the context of security. And even where they are doing something, it's just not enough to really equip users to deal with phishing and spear phishing and other types of threats very well.

Camille: So let's launch another poll here. Let's talk about the satisfaction in your organization. How satisfied with the quality of cyber security training materials you have available to you are you? Are you satisfied with those? Do you think they [crosstalk 00:21:47]

Lisa: So by quality here we mean things like the advice they give is it accurate, it's complete, right? Sufficient amount of information. And then I think the other big metric to think about here is whether or not it's engaging. When I think about whether or not I'd be very satisfied with the quality of training materials, I'd think about content that people want to take. Right? Not just that they're required to take but is it engaging to the point that people are actually seeking it out. I think we have a long way to go as an industry in this area, but I think the more everybody general consciousness around security is raised the more demand there is for it. But we've got to provide good quality, engaging stuff for people to interact with.

Camille: Sure. It looks like 50% of our viewers are saying that they're neutral. So that maybe it's kind of working, maybe it's not. And if you have a thought about why you're neutral about that, go ahead and chat it to us or ask it as a question. We'd like to hear reasoning of why you selected some of these and if you're very unsatisfied, why's that? And why are using this material that's unsatisfying. Is it because of budget? Is it because it was made in house and that's all there is? Be interesting to hear why you're doing this and of course you'll remain anonymous for what you tell us.

Michael: Yeah, I think another point is too, it's easier to evaluate the quality of a software or service solution for security than it is training. You can buy a box, you can check out the specs, check off all the boxes in terms of the requirements and deploy it. And now it's running as advertised. I think it's harder to do that to some extent with security awareness training particularly with the way people are doing it today because they use so many different approaches and it's really harder to quantify and evaluate the results of that. Now, if you have a really good training program, that's not the case, but for a lot of the training out there, that tends to be fairly informal and not really all that organized, it's harder to evaluate the effectiveness of that.

One of the things we wanted to look at too is the frequency of training. And what we found is that a very large percentage of organizations really aren't doing very much in the context of training. We found for example that about a third of organizations are training their users only about once a year. 5%, only once when they join the organization and 4% never. So, we're looking at upwards of 50% of organizations that are just the bare minimum amount of training if they're doing training at all. And if you're reminding somebody once a year to watch out for phishing attempts or to watch out for spear phishing, not to click on a link or an attachment, you probably can't expect that users going to really be focused on that activity. So, it's important to have training that's frequent enough. Obviously not too frequent but you want to have sufficient frequency so that people are keeping this as top of mind issue. We found for example that 30% of organizations train their users just two to three times per year, 16% do it four to six times per year, and only 10% have training that's more than six times per year.

And it's a kind of thing where you have to keep security awareness training as a top of mind issues for most users because they're dealing with phishing attempts on a daily basis. Senior executives are dealing with spear phishing at least on a weekly basis in many cases. We found situations where user, senior executive for example, the CFO of the company, might be getting 20 or 30 or 50 spear phishing attempts per year. So this is a fairly frequent occurrence and it has to be kept top of mind so that users are vigilant to protect against these kinds of things.

Lisa: I think another area where I think I'd be interested to hear from people on, on why this is? That they don't train frequently. Why is that the case? My suspicion and maybe people can tell me if this is accurate or not, is that it's a matter of resources. We're seeing more and more automation come into this space where security alerts from various monitoring tools can generate a training assignment and I think that is going to help a lot, the more we can automate in this area, the better. Because I don't think doing this manually is practical for a large organization, right? It's going to try to do training assignments for individual groups of people based on behaviors, then that can be quite time consuming. But I'd be interested to hear from folks on if they don't train more frequently, why is that? Do they not think it's necessary? Do they not have the resources? Not have the automation available? What is it that keeps them from training more frequently.

I think at this point, after this many, the place where the industry is from a maturity standpoint, I think it's pretty well accepted that doing shorter bursts of training more frequently and in that teachable moment, when somebody has exhibited a behavior that was, they clicked on a phish, clicked on a fake phish, whatever it was, that that's generally more successful and actually really does result in the person changing their behavior and learning something from that incident. So, curious to know why other people aren't finding the time or the resources, or the tools to train more frequently and take advantage of those teachable moments.

Michael: Mm-hmm (affirmative)

Camille: Lisa and Michael I have a thought for you. What do you think would be too much training in an organization? Do you think that there could be a point when it would be too much security training? Where it would start to go opposite and anger the employees or-

Lisa: Sure.

Camille: Or cause them disinterest? What do you think that frequency would look like?

Lisa: I really like to see prisms that are based on pull and not push. And I realize that a lot of companies, almost everybody it seems like these days has some compliance requirement that they have to deal with, right? And that you need to push programs out and get 100% participation for those specific programs for compliance reasons, right? But I'm an advocate of having maybe 10% of your program being run for compliance reasons and 90% of it being run to try and change the culture and generally engage people. When if you do that, you can't make those mandatory, right? It has to be a pull, people have to be interested in it, have to be engaging, whatever it is you're doing, whether it's training or an event or you've brought on a speaker or you're using something gamified, whatever it is, as soon as you make it mandatory, it's not as much fun anymore. So, I believe that you should take the bits and pieces of the program needs to be mandatory, and make them mandatory but everything else should be voluntary. And then people can pick and choose how they want to engage with different types of security content.

And if you offer a broad variety of content, videos and training modules and articles and maybe an infographic post on a corporate intranet site or poster on a wall or something like that, and event. You give people a lot of different potential touch points, then they can self select and they can go down their own path. Their own learning journey on security and determine what the right amount is for them. How interested are they? And are you succeeding in really changing people's behavior? Because at the end of the day, that's what it's all about. But I think you can definitely have too much training and then I think what you're going to generate is people tuning out instead of really engaging, which is what you want.

Michael: Mm-hmm (affirmative), yeah, no, I definitely agree with that. I think you can reach a point where it's too much, it's too in your face. I think it has to align with the way people work and their skill level, if you will, at being able to detect things. And that's why that sort of right sizing of training, I think is critical.

Camille: I think part of that might go back to, a couple slides back when we were talking about approaches to security and talking about the variety and if that material is engaging, I think that it'll be less likely that you have too much training, because if people are interested in it, they'll want to keep learning. But if it's something boring and too hard of work to do the training and materials, I think that, that could easily get to be too much where they start to, like you said, tune it out.

Michael: Mm-hmm (affirmative). Yeah, I would definitely agree. And it's the kind of thing where it has to be relevant. We all know, at least in the abstract, that phishing is a problem. People who have been faced with this or may have clicked on a phishing link and something bad happened, are probably going to be more sensitive to it and more willing to participate in training. And the goal I guess is really to get everybody on that same page. Get them to engage before something bad happens.

So one of the things that we wanted to find out too, is just how enthusiastic are people about security training. And again, we're dealing with a pool of survey respondents who have a variety of different training backgrounds, some get frequent training, some get infrequent training, some get quality, some get fairly poor quality and so forth. What we found is that senior IT management tends to be pretty enthusiastic about security training. They really understand it's benefits, they understand how it can work along side the technology infrastructure to really better protect the organization, protect the data assets and so forth.

When we get into senior business management, they're a lot less enthusiastic. Now, we do find that a little over a third of senior business managers are pretty enthusiastic about the overall idea of security training and they're willing to participate. When we get down to the employee level though, that's where things really fall off. We found that only about one out of eight employees are really what we consider to be enthusiastic about security training. About half are somewhat supportive and the rest are either neutral or actually slightly against training. And that relates probably to the bad experiences they may have had with inadequate training or training that wasn't frequent enough or wasn't engaging enough. So really the goal here is to move as many of these bars to the left as we can. Get senior business managers on board, get employees on board with security training and really even get more IT on board with it. Because we do find in our research that some IT decision makers, some security decision makers, really aren't yet convinced about the value of security training. Even though you can demonstrate that security training can go along way to protecting an organization, protecting its data assets and so forth. We still find a lot of decision makers just aren't yet on board.

Camille: I'm going to launch a poll now, something I'm interested in is to see if your organization does role based training. So interested in thoughts on if role based training would make people more enthusiastic. So, does your organization do role based training or does everyone get the same security training? And I think it'd be interesting to talk about if it its role based, does that make them more enthusiastic to continue it because they feel like it's useful in their career and in their position. Looking like 83% of participants, had a switch now to 71% of our participants have said that their organization does not do role based training. And 29% said they do. So, I'd be curious to see if role based training makes people more interested in it. If anyone has any thoughts on that?

Lisa: Yeah again I think this probably also a reflection of resources because it definitely, again that's another place where we've seen more automation entering the space with some of the tools that allow you to make assignments based on peoples roles a little bit easier than others. So I think this is potentially another place where it's a matter of resources, right? If you don't have the automation available, the technology doesn't support it then this also becomes something that can be rather manual. Doing the assignments as well as coming up with the actual training content.

Michael: Mm-hmm (affirmative). And I think role based training is really very important because if you look at particularly in the context of spear phishing, somebody in a marketing department is rarely going to be targeted to do a wire transfer or get a request for W2 information for an employee. So if they got it, there's nothing they would do with it anyway. The CFO on the other hand, or somebody in the finance department, is going to be targeted for this type of information or going to be asked supposedly by the CEO to initiate a wire transfer. So I think that type of role based training really is essential because people have different levels of target-ability if you will based on what they do in a company.

Camille: We are going to get to the questions in just a moment, so feel free attendees please submit any questions you have. But now we're going to move on to the actual tips. So, Michael's developed these using his research. So we'll let him go through those, but again please submit us questions at any time here that we can go through.

Michael: So first of all, and again these are going to vary based on the level of training you have in your organization, in your corporate culture and so forth. But these are tips that we developed that you should at least seriously consider.

First, security has got to be a board level consideration. And we're finding that more boards of directors over time are really understanding the importance of security. We find more boards of directors for example, will have the CSO as part of the board. They'll provide training for the board themselves, so that they understand the information they're being told about security threats and the important of guarding against various types of things and providing training and so forth. So, really start at the board and make this a top down decision in just about every company out there.

You need to understand your corporate culture. There are some corporate cultures where senior management are very opposed to being trained. The CFO, the CEO, others at high level in the organization don't necessarily feel they need training, they do. And so you need to really focus on getting these managers on board to understand the value of training and why it's important for them and the rest of the organization. You need to have senior managers open to the idea of being challenged. So for example, the CFO receives a request from the CEO to initiate a wire transfer off to a Chinese supplier for example. You need to have a corporate culture where the CEO is willing to accept maybe a call on his or her mobile phone while they are on vacation saying hey, did you really send this request. The CEO that doesn't want to be bothered with these kinds of things is the head of an organization that is more likely to be attacked. So you need to really focus on corporate culture as a key part of the training regimen.

You need to make sure the training covers everything that it should. There's not only treats from phishing and spear phishing but threats from users over sharing on social media, using corporate email for personal purposes, surfing websites they shouldn't and so forth. So make sure that the training covers all of the potential threats that could impact an organization.

You need to make sure phishing tests are random. If everybody knows that there's a phishing test coming, they're going to be more tuned to that test. Now, that's not necessarily a bad thing, because you do get users talking about it and increasing the overall level of awareness about phishing and spear phishing and so forth. But there's a real value in making tests random so that users aren't just watching for the tests themselves but becoming more attuned to the treat of phishing in general.

Training should be frequent. Obviously not too frequents but it needs to be frequent enough to make sure that users are really understanding the value of the training they're getting and really keeping security as a top of mind issue. And what we see in the figure on the right, is that organizations that train their users more frequently, the senior managers have more confidence in their end users because they're not clicking on these links as much. We found for example, that for security awareness training is a maximum of once per year, the confidence levels are relatively low. If security awareness training is two or more times per year, the confidence level jumps quite a bit. So training really does pay off. Certainly there can be a point of diminishing returns but we rarely see that in our research. That the more users are trained, the more frequent it is, the more confidence that their senior management has that they won't click on phishing links.

You need to right size training as we discussed earlier. Make sure that role based training is the norm in your organization. Train the CFO differently than you might clerical staff. Because they face different levels of target-ability and they face different kinds of threats in their work.

You really need to focus on behavioral change. Make sure that users are getting to the point where they're more sensitive to things like phishing attempts and spear phishing attempts and they're more easily [inaudible 00:40:51]. You really need to change the behavior of your end users which is really the ultimate goal of security awareness training anyway.

You need to make the training fun. It's got to be engaging. Users have to want to be trained. They have to want to engage with the material. So you make it fun to the extent that it can be. This can be a dry subject obviously, it doesn't necessarily have to be.

You need to create back channels in your organization. And what we mean by back channels are different modes of communicating with each other to look for example, spear phishing attempts. The example I used earlier is where the CFO gets the request for sending a wire transfer off to a supplier. Make sure that there's a back channel so that the CFO can contact the CEO on his or her mobile phone in a way that maybe the bad guys can't find out about. So it's not necessarily you receive an email that says hey, make the wire transfer, you send an email right back. Because if that's an account takeover situation, where the CEO's account has actually been taken over by the bad guys, they'll respond saying yeah, this is me the CEO, go ahead and make the wire transfer. So you have to have an alternate route to be able to communicate with each other in case there are things that are in question like that.

And finally, don't punish users mistakes. Now, we're not talking about the user who makes the same mistake over and over and over, but we're talking about if somebody does fall for a phishing attempt or if they do fail a test as part of the security awareness training regimen. Don't necessarily punish them. Train them so that effect that behavioral change you're really looking for.

Camille: Thank you Michael so much for those. I think those are some great tips that anyone can apply that is either running a security program or anyway involved because not a lot of these are too hard to do. I mean of course they require man power, they require work on their end, but I think some of these things are things that people to just really think about and it might be a simple fix that could really make a significant improvement in their program.

Michael: That's really the fundamental issue here. Is that security awareness training will not solve all of your problems but it will go along way in making your organization more secure.

Camille: Right. So let's move on to a little bit more info about Michael and Osterman Research. So, I know Michael you have a lot of other research that might be interesting to people and I know you'd love to hear from them on any thoughts that they have.

Michael: Absolutely. If anybody has any questions, I'd be happy to answer those. We have a lot of unpublished resources we'd be happy to share, that kind of thing.

Camille: Sure. So there's Michael's contact information. And you will receive this in the recording email later as well. You'll be able to look at the recording and jot some of this information down. But looks like we've saved a few minutes here to get to some questions. So we've got Lisa and Michael still on the line with us to answer some of these and we'll still accept questions as we go along here. But let's start with a question here that says, what's a good rule of thumb for phishing reporting rate? So, that's maybe talking about people that are identifying a phishing attempt and is it better that they report them or just ignore it?

Lisa: I mean I think you obviously want people to report. I've always heard the adage that reporting is a measure of engagement, right? I heard somebody say to me, probably three or four years ago when I got into the field that you want you're reporting rate to be higher than your click rate on your mock phishing program. I think that's a good goal at the very beginning that you would want more people reporting something than actually clicking on it. But I think over time if you've been running a program for a little while, even as little as a year, if the program is going well, you start to see report rates that are far, far higher than your click rate. Maybe a click rate around 10 or 15% and a report rate much, much higher. Closer to 50% or even beyond. You really want to see that people are engaged and that people know that they need to report then I believe your reporting rate should be relatively high. But coming out of the gate at the very start of a program, I don't think I've talked to anybody whose gotten rates that high. Maybe 20 or 25% at the beginning but I would look for it to increase over time.

Michael: Mm-hmm (affirmative). Yeah and I would agree. And really one of the goals of training is to heighten that level of selective perception. It's like when you buy a new car, all of a sudden you see a lot of that make and model out driving much more than you did before. And I think one of the goals of good training is to really sensitize people and make them very aware of phishing. Much more than they were initially.

Camille: Another interesting question here. So, on the last slide they're referring to, on the tip slide, it says not punish people. But should they have consequences if they keep getting phished and if they are being provided the right resources and training but they're just not responding to that. Do you think that they should have consequences and if so, what kind of consequence do you think would be appropriate?

Lisa: I think obviously there has to be consequences, right? It would be really irresponsible if you had folks that were repeat clickers or exhibited behaviors over and over again that were dangerous to the organization. Obviously you have to take some action there. But I think it's all about how you do it and what the perception is, so I'm a believer in having an escalation process. With the first time somebody does something that's an undesired behavior, puts the organization at risk, I think that's a communication that happens between one person on the security team and that individual. But there's not a name and shame, right? There's no public humiliation. It's just a quick email that's as upbeat as possible, offers help, acknowledges that we know you're busy and we have a lot going on and sometimes its easy to click on things without thinking. And sort of acknowledges all of the challenges that they might have that might have caused them to do that, but then explains why that was a dangerous behavior and gives them some training. So, do that in a concise a way as possible. An upbeat way as possible.

But then I think eventually when somebody continues to exhibit behaviors that are dangerous, then I think it becomes a conversation. Maybe it's an email where you've copied their immediate supervisor or the next incident is one where you've copied their immediate supervisor and their HR business partner. And you gradually work your way up the organization. It's important to sit down with your leadership and HR and decided what those escalation processes should look like. That should be a group decision, there should be policy agreement on that. And then after that its just following that process once you determine what the process and the policy should be.

Michael: Yeah, and I would agree with that. Certainly there used to be an escalation process and there needs to be some level of punishment at some point for people who keep making the same mistakes. Continuing to click on phishing emails for example, the links and attachments and so forth, is really no different then somebody who continues to hold the door open, the security door for somebody without a badge in the company. That's the kind of behavior that you can excuse maybe one time, but it can't keep going on wit no change.

Camille: Another question that came in, how important are policies in establishing your training programs? So I'm thinking maybe he's referring to, in the question, policies of actually completing that training and is that monitored that people are completing that training and should there be a consequence.

Lisa: Well, I don't know. I think what he could be asking, and Jonathan feel free to type us some more notes if we're getting it wrong. But I think if you're asking are policies a necessary prerequisite for starting a training program, I'd say no. They're very helpful, but if you're in a smaller organization or an organization that just hasn't had the time to put pen to paper and hasn't developed thorough policies that have been agreed on and written in stone, then I don't think that should stop you from establishing a training program. I think the most important thing to establishing a training program is understanding what your risks are. What are the biggest risks to your organization? And those are the things that you have to train for. If you think the biggest risk, if your most valuable assets as a company are PII data, right? You've got a lot of consumer records or what have you, and that's what needs protecting. Then figuring out what training is necessary to make sure that you're shoring up any risk to that asset. I think that's more important actually then having policies.

If you have policies, that's fantastic. You likely than would have policies that dictate, at the bare minimum how often you need to train. Maybe your compliance is in there, your requirements are included in there. A lot of vendors in the states will allow you to train on your policies. Most companies have an annual policy acknowledgement and there are tools you can use to get that done. You can create training on your own policies. Jonathan just sent us a note, that he started a training program but without any established policies. I think you can forge ahead Jonathan, I really do. I think ideally you'd have policies in place but not having any or not having enough is not a reason not to train your employees and to work hard to protect your company so, kudos to you.

Michael: And I think there's a value in policies and I think it varies based on the organization and the regulatory environment you face. For example, if you are dealing with lets say, residents of the European Union, then your company absolutely has to have policies in place about how you manage the data of those residents. So for example, if you're going to be sharing information with third parties and it includes personal information on residents of the EU, then you have to have a policy in place that says okay, we know that this third party is GDPR compliant. You're going to be encrypting data when send it and so forth. And so I think you have to have the policy in place so that you can evaluate employees based on their behavior about protecting that data. If you don't have any policies in place, it's going to be harder to evaluate them on GDPR compliance for example. So I think, again, it's a case by case basis for some organizations but you have to have policies in place that will allow you to measure employee behavior against that benchmark.

Lisa: I'm going to give a little devils advocate perspective here as I think about this and I look at Jonathans comment. Think of it this way, do you think there are cyber criminals who care whether or not you have a policy? Right? So think of it that way. I know that sounds a little off the wall but honestly there's still a lot you can train your employees to do to protect your organization without policies. And I would just say don't let perfection be the enemy of good. Ideally you'd have policies in place but there's still so much people can learn in ways that you can protect the company or the organization even without them. So I wouldn't let it be a barrier. I would forge ahead and do what you can.

Michael: Yeah, and I would completely agree with that. Even in the absence of policies there are things that you can do because people should know they shouldn't click on phishing links or -

Lisa: Right.

Michael: Attachments, and spear phishing and so forth. It's when you get more, I think into the minutia of specific compliance obligations where policies are very helpful.

Lisa: Right.

Camille: Great questions and thank you to all of our audience for participating and a special thanks to Lisa and Michael. Really interesting presentation today and we hope that everyone enjoyed and also learned from this session. And just some great statistics, some great research and some useful tips that we can take back to our own organizations and really think about. So such a big thanks to you for participating Lisa and Michael and all of our audience as well.

Security awareness and training is not one size fits all. It's going to take different learning paths, messages and tactics to get everyone on your team to care about security. Security IQ, our security awareness training solution comes loaded with more than 500 training modules, 2000 phishing templates and learner assessments to help you build a successful security awareness program and a cyber alert workforce. Like the best laid communication plans, it helps you deliver the right training to the right people at the right time. The most effective security awareness programs are layered, leveraging computer based trainings, simulations and offline reinforcement tools like posters, tip sheets and recognition programs. This is not unlike how technology companies roll out the latest hardware updates. You'll see their ads on your favorite websites, in your social feeds, in your email, and even in the magazines you read. Security IQ offers three layers to help you make awareness training stick and actually motivate behavioral change. These are event activated learning, learner activated training, and admin activated training.

If you'd like to give Security IQ a try, go to infosecinstitute.com/iq to get started with a free account today.

Chris: Thank you all for listening and watching. If you enjoyed today's podcast, please visit infosecpkstage.wpengine.com/cyberspeak for a full list of other episodes.

Thanks once again to our guests, Michael Osterman and Lisa Plaggemier. And thank you all again for watching and listening. We'll speak to you next week.