As businesses continue to suffer millions in losses from ransomware and other hacks, experts have repeatedly pointed to security awareness training as one of the most effective – and cheapest – tools for an MSP to wield against these types of threats.

The statistics are startling when it comes to the role human error plays in cybersecurity breaches:

    • 95 percent of all breaches come back to some sort of human error
    • 52 percent of businesses admit that employees are their biggest weakness in IT security.

With these numbers having such a human element, awareness training becomes an effective way to push back. But what does “awareness training” really mean, and how do you make more effective? These are challenging questions, and we’ve turned to various experts for their insights.

Low-tech for high tech

“Sometimes there is just so much electronic noise that you have to block it all out and talk to people human to human,” says Sandy Lewis, who runs awareness training in San Diego.

Often just calling people together into a room with some coffee and doughnuts and having an informal chat about cybersecurity, what phishing is, what credential stealing is, and so on can be very effective, Lewis adds. What you don’t want to do, Lewis advises, is make it a boring classroom-style lecture.

“Most people will start tuning out. The average person isn’t an IT guru. Their eyes will start glazing over,” Lewis points out.

You want to make the talk interactive, casual, and offer plenty of opportunity for participants to ask questions. MSPs often have someone on their staff in sales and who can be engaging and entertaining.

    • Incentives: Want to pay millions in ransomware or thousands in bonuses? You’ll pay either way, so you may as well choose the lower-cost route and get happier employees in the process. You wouldn’t think that incentives are part of awareness training, but experts advise they can be a powerful tool if used in tandem with it. John Webb, a trainer in Fort Worth, says he has seen businesses experience great success offering gift cards or extra time off for those who’ve achieved measurable improvements in “cyber hygiene” over the course of a year. People may pay extra attention in the training sessions if they know a gift card or extra money is the reward for taking it seriously. “You’ll have happier employees, fewer incidents, and paying bonuses is far cheaper than paying the ransom,” Webb states.
    • Pen-testing: This is where you get into higher-tech tools and there is definitely a place for these. “I always advise clients to use them in a way that helps teach the employee, not shame them,” Webb points out. “I knew one manufacturing customer that would print the employee’s name and picture and put it on their bulletin board as being someone who opened a spammy email. Another company was docking pay. None of these things, in my estimation, are effective.” Webb advises. “It just shames and breeds fear.” What is effective then? “If someone falls for a simulated phishing email, privately talk to them, explain to them clearly what would have happened if it had been an actual phishing attempt, and let it go,” Webb says. “Most people will get it and not repeat the mistake. If you get a repeat offender, then give them more training. I’d save punitive actions for the most severe cases.”

Implementing your security awareness training

  • Categorize by speciality: Many MSPs lump all employees into one pot, but this may require a change in thinking. “Let’s face it, there are certain employees who are more high-risk, and it may help to do a risk assessment,” Webb states. But even that isn’t as easy as it seems. Who, after all, is high risk? A low-level employee with access to IoT devices like security cameras can pose just as much risk as a company VP. A thorough audit should be conducted of employees, and a risk assessment made. Depending on each individual’s risk and cyber hygiene, credentials could be tailored, diminished, or sectioned off, if need be. “The worst thing you can do is approach each employee with a one-size-fits-all mentality because, in cybersecurity, one-size does not fit all,” Webb adds.
  • Keep IT simple: Most employees don’t care about patches, firewalls, routers, file-less malware, and lateral movement. Instead, come up with a few core themes relevant to your business and hammer away on just those. “People have limited attention spans. You can’t cover it all. Choose two or three topics you want to cover, and that is it,” Lewis advises. If that is personal devices, use of public Wi-Fi, or how to spot dangerous attachments, pick the three topics most relevant to your business.
  • Peer to peer IT: Sometimes people learn more from their peers. An accounting person just might not be able to connect with an IT person on the same human-to-human level as they can with someone who works two cubicles down in accounting. Consider “Deputizing” a “layperson” from each department to be an IT Sherpa for others in their department. This keeps awareness training within the confines of daily life in the department. The person doesn’t have to know everything or be an IT whiz, just be well-versed in the basics. This also makes IT information more accessible and takes some of the burden for day to day IT awareness training off the MSP.

Remember, a comprehensive security awareness training can mean a lot of problems avoided!

Photo: sitthiphong / Shutterstock

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *