Teach a Man to Phish

Cybersecurity

​Illustration by Viktor Kown​​​

Teach a Man to Phish
Trends in Data Breach Cost Components

Think you can spot a phishing e-mail when it pops into your inbox? The odds are not in your favor: a recent quiz from Intel Security found that 97 percent of more than 19,000 people surveyed worldwide were unable to correctly identify destructive phishing e-mails.

The quiz asked participants to identify 10 e-mails as legitimate or as phishing attempts. While no age group did particularly well, individuals who did the best were in the 34- to 44-year-old age range, identifying an average of 68 percent correctly. 

Gary Davis, chief consumer security evangelist at Intel Security, suggests that this age group is “being more conscientious and taking more time” while reading e-mails, as opposed to younger respondents who may be “clicking like crazy” on e-mail links. The United States as a whole also struggled, coming in 27th in its ability to detect phishing—just behind Canada, which finished 26th. France, Sweden, Hungary, The Netherlands, and Spain performed the best, Davis says, explaining that European countries tend to be more security conscious than those in North America. 

This failure to identify malicious e-mails not only poses problems for individual users, but for corporate security as well. Human error is most often to blame for corporate breaches, and phishing and spear-phishing are the predominant attack methods, according to The BakerHostetler Data Security Incident Response Report 2015.

“The large number of the incidents we saw in 2014 that included employee negligence as part of the primary underlying cause is proof that companies cannot eradicate security risk solely through the use of better technology,” the report said. 

So what can companies do to even the odds? Creating a staff security awareness training program might be a good place to start. Here are tips from two experts for getting a training program off the ground: Dan Lohrmann, chief security officer of Security Mentor, a security awareness training company; and Chris Romeo, chief security advocate of Cisco Systems and creator of its Security Ninja program.​

1. Start Small

The first step is to figure out exactly what you want to address through training, says Romeo, who designed Cisco’s internal voluntary security awareness program.

“We realized that at Cisco, we didn’t have a comprehensive end-to-end-security training program,” he explains. “We had individual pieces of security training, but they didn’t all fit together in a cohesive way. Our security IQ for our organization wasn’t what we wanted it to be.”

Romeo and an initial team of three others then used that thought process to narrow their focus, creating an application security awareness program using an engineering outlook. They designed a program to teach participants the basics of building a secure process, to explain historical process failures and how to avoid them in the future, and to change participants’ behavior to make Cisco’s products—and its networks—more secure. 

Once the team had its focus, it planned a pilot version of its security awareness program—modeled on Adobe’s Security Ninja Program, which divides training into skill levels based on the colored belt system used in martial arts. 

The team decided to start with creating and launching the first level, the White Belt, before building the rest of the program. This allowed the team to see what was working and what needed tweaking. The approach also allowed security to gain executive support for a more robust program, a strategy Romeo highly recommends.​

2. Make it Engaging and Fun

After outlining a pilot plan, you need to create content that employees want to complete. In other words, a long PowerPoint slide module is probably not the way to go. Instead, follow the approach Romeo and his team did and ask yourself, “If we had the perfect training class, what would be fun?”

The answer was content that used humor in videos, quizzes, and real-world experiences to teach participants about security. The videos, produced in-house, were especially popular with the more than 20,000 people who have participated in the program so far because they bring together security professionals to discuss a topic in a completely unscripted manner. The videos let “real security people have real security conversations,” which participants appreciate, Romeo says.

Additionally, the team wove security metaphors—short, humorous spoofs on movies like The Matrix and Office Space—into training modules, along with clips of individuals in ninja costumes in the Cisco workplace. “It was just a way to connect our brand and our market, and add a little fun,” Romeo notes. 

And making training fun and engaging is crucial, Lohrmann says. Beyond video, he suggests using gamification to create content that people remember once they’ve completed the training. For instance, in a module that addresses lost items in airports, you could create a game that asks people to find the top 10 places people lose their cell phones while in an airport. “Make it something you remember; it can’t be just ‘don’t lose your phone,’” Lohrmann urges.​

3. Keep It Short and Small

After figuring out your content and format, edit it so modules are no longer than 20 minutes, Romeo recommends. “Edit, reduce the content, and get it to the right level,” he explains, adding that if you need help cutting it down, seek help from a production or marketing team.

By keeping the delivery short, participants will be more likely to watch or complete the entire module, and it can be updated regularly. 

“Try to offer monthly training that’s brief at 10 minutes, spreading it out throughout the year,” Lohrmann says. “Training should be updated regularly, at least annually, if information changes or if there’s some new technology or trend.”​

4. Ask for help

If you find yourself really struggling to create content, consider asking for help within your company. For instance, Cisco has Cisco TV, which has access to studios and professionals who know how to use cameras and edit footage. Partnering with these individuals to create videos was crucial to developing the final content for its security awareness program, Romeo says. 

When it comes to writing test questions—something the Cisco team found extremely challenging—Romeo suggests hiring instructional design professionals to help. “Anyone can write test questions, not everyone can write good test questions,” he says.

5. Get Executive Support

Once you have your training ready to launch, it’s key to get executive support to encourage employee participation, especially if the program isn’t mandatory. 

When Lohrmann was working as the chief security officer for the state of Michigan, he helped design a staff security awareness training program. At a cabinet meeting, Michigan Governor Rick Snyder asked everyone in the room who’d taken the training to raise their hand—but no hands went up. Snyder, Lohrmann recalls, then said, “I’ve taken it; I liked it; I learned a lot,” and then told everyone he expected them to take the training and to have their direct reports complete it as well.

One month later at another cabinet meeting, Snyder asked who’d completed the training program and every hand in the room went up. Having Snyder’s support was crucial to getting executive buy-in for the security awareness training and ensured that it was made a priority across state government.

The same is true in the corporate world, and Romeo recommends tapping into executives’ natural competitiveness in the workplace to encourage participation. One way Cisco does this is by using a dashboard to keep track of who in each department has achieved a White Belt—or more advanced belts—in the program. When executives see that another department may be pulling ahead of their own, they are more likely to encourage staff to participate in the training and stay ahead of the rest of the company, he explains.

Additionally, by securing executive support for the training, you can increase your chances of getting additional funding to continue the training in the future and secure funding for other training projects.​

6. Recognize Participants

Finally, once the program has been launched, find a way to recognize participants who complete the training. This can range from sending certificates of completion—extremely popular with participants in Cisco’s Asia offices, Romeo says—to awarding prizes.

One effective measure Cisco found for rewarding individuals was to give participants lanyards that were associated with the belt level they had achieved—ranging from white to black. Employees are required to wear ID badges on lanyards while at work, and the security awareness training lanyards became an easy—and effective—way for people to show what level they’d achieved in the program. 

“This program went viral within the company,” Romeo says. “We think it was the recognition process that drove that.”