Reducing the Risk – Security Awareness Training
Security Awareness Training (SAT) can be an easy win for IG Programs. Implementation of a SAT program almost immediately reduces corporate risk. Knowledge retention testing and metrics confirm that employees have been trained, and the likelihood of an employee being tricked into providing network access to bad actors is reduced.
So even though humans remain the weak link in cybersecurity defenses, the implementation of SAT programs significantly enhance corporate cybersecurity posture and provide executives with documented evidence that they have taken proactive steps to reduce risk.
SAT under the umbrella of an IG program involves the entire employee base in a common activity that encourages behavior that enhances corporate security. This group participation combined with effective and on-going messaging; it leads to curious employees eager to find out what’s next. IG World embarked on a project to talk with leading SAT vendors and find out what they think is important.
These vendors were identified as leaders in the SAT market:
- Global Learning Systems www.globallearningsystems.com
- Inspired eLearning www.inspiredelearning.com
- KnowBe4, www.knowbe4.com
- Media Pro, www.mediapro.com
- Ninjio, www.ninjio.com
- Phish Labs, www.phishlabs.com
- SANs Institute, www.sans.org
- Security Innovation, www.securityinnovation.com
- Wombat Security, www.wombatsecurity.com
IG World spoke with Gretel Egan, Product Evangelist for Wombat Security to find out how Wombat approaches the difficult process of changing human behavior. Gretel said “It is a mind shift; companies need to prioritize SAT on the same level as other job skills.” The Wombat Security SAT platform helps employees learn in small, incremental steps. Wombat believes that micro learning leads to better knowledge retention. Proofpoint, who acquired Wombat in 2018, has published research which shows that cybersec criminals primarily target people, not systems. This research supports the premise that humans are the weak point in cybersec defenses.
The leading SAT companies all have platforms that integrate with corporate Learning Management Systems (LMS). One of the differentiators is the ability to integrate with IT Help Systems so that system administrators are notified when simulated phishing campaigns are initiated. This feature is an ease-of-use consideration which is especially useful in large organizations.
Inspired eLearning’s VP of Marketing Kirk Wright told IG World that the ROI justification for purchasing SAT solution is simple. “I ask prospects ‘to think about how much money they spend on IT budgets for firewalls and other IT equipment” then I tell them ‘that with one click, a single employee can negate that entire budget.’ This is why SAT is important.”
Recently, Inspired eLearning released new Vishing Capabilities for its PhishProof platform. Vishing is the use of social media to compromise unsuspecting employees. It is important for SAT vendors to continuously update their training materials and Inspired eLearning is the first to offer Vishing training as a fully integrated part of their platform.
KNOWLEDGE RETENTION THROUGH ENTERTAINMENT
Knowledge retention is fundamental to the success of a SAT implementation. Ninjio has a unique approach to their training which engenders significant audience engagement through the use of American anime cartoon-like videos. Each month, Ninjio produces new animated videos, generally two to three minutes long. These videos are designed to convey cybersecurity lessons in an entertaining and engaging manner that employees will remember. Ninjio uses Hollywood writers to develop scripts based on real-world events. The actual company names are anonymized, but the scenarios are real, making the lessons more likely to stick. Ninjio founder and CEO Zack Schuler feels a tremendous amount of responsibility to provide quality content. Schuler told IG World, “I want to make sure I am reaching people with the most accurate information possible.” He went on to say, “Today we are saving data, in the future we (SAT) will be saving lives.” (The future may be closer than you think. You can read about medical device cybersecurity on page 14 of Issue 2.)
All of the leading SAT vendors have products which reduce corporate risk by educating employees to recognize potential threats and thus reduce the possibility of their being tricked into providing corporate information. In the next issue, IG World will examine the benefits of providing SAT to employee’s families.