22
© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved. Best Practices for Security Awareness and Training

Security Awareness and Training Best Practices

Embed Size (px)

Citation preview

Page 1: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

Best Practices for Security Awareness and Training

Page 2: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

• The evolution of security awareness and training

• Components of effective training• Our Continuous Training Methodology

– Steps: Assess, Educate, Reinforce, Measure

– Best practices for engaging end users

and structuring your program• Our Learning Science Principles• Next steps

What Will You Learn?

Page 3: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

• Traditional security programs have relied heavily on annual presentations and videos

• Many efforts have been reactive rather than proactive (e.g., warning emails from IT departments)

• With these methods proving ineffective, CISOs are exploring other awareness and education initiatives

The Evolution of Security Education

Page 4: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

The Evolution of Security Education

Page 5: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

The first goal of any security awareness and training program should be improved knowledge and behavior, not just awareness.• Security awareness alone is not

sufficient to improve end-user security posture

• Users must understand and know how to respond to potential security risks

What Is Effective Training?

Page 6: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

What is Effective Training?Presentations, slide-based training, simple quizzes, and videos inform — but don’t educate — end users. As such, they don’t help users understand risks or change their behaviors.

Page 7: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

What Is Effective Training?

When users can understand the context of their behaviors, practice through simulated situations, and receive immediate feedback, they can make better decisions and reduce risks.

Page 8: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

What Is Effective Training?Real-life examples and immediate feedback enhance learning and retention, allowing users to understand and correct their behavior.

Page 9: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

Truly effective training can improve your program’s results

What Is Effective Training?

Page 10: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

Continuous Training MethodologyA foundation for success: 360-degree approach to

security awareness and training

Page 11: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

Get a baseline of your end users’ knowledge

Assessments: CyberStrength® Knowledge AssessmentsGauge end users’ knowledge of security topics, including your security policy• Create a broad assessment on multiple subjects or do a

highly focused assessment in a particular topic area• Use pre-written questions or ask your own

Continuous Training Methodology

Page 12: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

Get a baseline of your end users’ vulnerabilities and motivate users to complete training

Assessments: Simulated AttacksUnderstand your most vulnerable threat vectors:

• Mock Email Phishing Attacks with ThreatSim®

• SMS Text Message Attacks with SmishGuru®

• USB Drive Attacks with USBGuru®

Continuous Training Methodology

Page 13: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

Any employee who falls for a simulated attack is automatically presented with a Teachable Moment. This is not considered training, though many of our competitors believe it is.

Continuous Training Methodology

Send Simulated Attack

Teachable Moment Delivered

Page 14: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

Educate your users and change behavior with true, interactive training modules in a variety of topics.

Continuous Training Methodology

Wombat Security uses Learning Science Principles in every training module to engage users and increase learning and retention.

Page 15: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

Use our PhishAlarm®

Email Add-In so end users can report suspected phishing attacks.• End users are provided positive

behavior reinforcement with customizable messages via a pop-up window.

• Save time prioritizing reported emails with our new PhishAlarm Analyzer tool.

Continuous Training Methodology

Page 16: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

Use Security Awareness Materials to help your end users retain knowledge.• Choose from a selection of posters,

articles, images, and gifts• The materials remind your employees

about the security principles they learned during in-depth training

Continuous Training Methodology

Page 17: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

Measure improvement using 20+ reports.• Review detailed information from assessments and training

efforts. See data about:− Who completed which assignments− Who fell for specific simulated attacks− Which concepts employees understand well− Topic areas of weakness− Improvements over time

• Reports can be exported and shared with interested parties

Continuous Training Methodology

Page 18: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

Suggested CyberStrength Reassessment Schedule:

• Quarterly or biannual assessments allow you to continue to measure improvement from the baseline.

• When you aren’t performing a broad content assessment, we suggest focusing on seasonal issues, as in the following schedule:

−Safety on the Internet: August – October

−Anti-phishing: November – January

−Compliance: February – March−Mobility and travel: April – July

For Best Results, Repeat the Cycle

Page 19: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

For Best Results, Repeat the CycleSuggested Simulated Phishing Attack Reassessment Schedule: • We recommend conducting ongoing

simulated attacks at least four to six times per year. Many of our customers send out monthly simulated attacks.

• If you plan to employ a continuous cycle of simulated attacks and use Auto-Enrollment (to assign end users training if they click a mock phish), we suggest assigning only one training module per Auto-Enrollment and varying the training module type.

Best Practices

Page 20: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

Suggestions for Targeted

Training Assignments: • New hire assessment and

training to gain a baseline of knowledge, and basic training as they enter the organization

• Mandatory Mobile Device Security and Mobile App Security (future) training for new BYOD registrations

• Mandatory training following any device infections (learn more about our upcoming Education Triggers)

• Security Essentials is a great starting point or refresher for employees

Best Practices

Page 21: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

Keep Your Efforts Engaging and Fun• Rewards for trainees with the highest

scores or who complete their training most quickly

• Create a competition between departments/groups for first dates of completion, training module scores, or assessment scores

• Elect a security champion within each group/department who provides on-the-spot recognition for employees exhibiting the right security behaviors

Best Practices

Page 22: Security Awareness and Training Best Practices

© 2008 - 2015 Wombat Security Technologies, Inc. All rights reserved.

Visit us at WombatSecurity.com to learn more about:• Security awareness and training• Our

Continuous Training Methodology• Customer Case Studies and Proofs

of Concept results• And more

Next Steps