Site icon IT World Canada

MapleSEC: Try these tips to improve your security awareness program

Maplesec training panel screenshot

Panelists discussing awareness training included from clockwise from top left Brennen Schmidt, Jon Lewis, Spencer Callaghan and Jim Love

Cybersecurity awareness training. Three words that often make the eyes of employees — and infosec pros — glaze over.

Several sessions at the MapleSec virtual cybersecurity conference on Tuesday gave valuable advice to organizations on how to make awareness training work. Here’s a roundup of what speakers said.

Many training sessions are “pretty boring,” said Jon Lewis, a product marketing specialist at the Canadian Internet Registry Authority (CIRA), which in addition to patrolling the .ca domain sells an awareness training service.


Want to learn more about MapleSEC? Click here


“We’ve been beaten to the ground with mandatory training” for a variety of things in organizations, he said. “I personally believe awareness of cybersecurity problems is high, but people are still doing bad things, and I think it boils down to training not being super-engaging.”

It doesn’t have to be glitzy, he added, but training does have to be engaging — and perhaps with a little wit.

An example: As part of a regular phishing test for its employees CIRA created an email about a parking spot lottery seemingly from the management of the downtown Toronto building where it is headquartered. The email had the management company’s logo, a colourful map of the possible parking spots — in short, it looked very convincing. Employees were asked to do click on a link and enter personal information to be part of the lottery for the parking spots.

Apparently, enough of the staff were fooled that the phish became a “classic,” said Lewis.

However, he cautioned, make sure such tests are appropriate. One company ran a phishing test offering employees a chance to earn a bonus by clicking on a link and entering their usernames and passwords. Unfortunately, the “contest” for bonus money ran just after a large number of layoffs. The test “burned a bunch of bridges” with management, Lewis said. Do a test like that “and your [awareness] program is dead.”

Several speakers mentioned the importance of regular awareness training — at least once a quarter.

“Don’t make people feel stupid,” advised IT World Canada CIO Jim Love. Let them know mistakes happen to everyone. In fact, if you’re a trainer share examples of some stupid things you’ve done, he said.

Awareness training should be part of the organization’s fabric, Love added. For example, include some advice for a few minutes during a team’s weekly meeting. It’s also important, he said, to have executive participation in training. This can range from a short video from an executive to walking around the office chatting with staff and talking about the importance of being security-aware.

He also urged infosec pros to build coalitions of support for security training with other groups in the organization.

This was echoed by Brennen Schmidt, cybersecurity author and member of the board of the Mackenzie Institute. The COVID crisis is an opportunity for IT to other departments about delayed cybersecurity projects, such as a mobile working strategy.

David Shipley, CEO of Fredericton, N. B.-based Beauceron Security said there are five parts to creating a good cybersecurity awareness plan:

Shipley said awareness training programs often fail because they are seen to be driven by the IT department, they focus too much on phishing test click rates and success is defined by useless metrics like the number of meetings held with staff.

It’s important staff not be punished for failing tests, he added. Staff should understand that training is about learning from mistakes.

 

Exit mobile version