Security Awareness Training
Awareness Training can be a key part to reducing the risk of threats such as social engineering and phishing – but many companies struggle to put together effective security awareness training sessions. It’s an understandable problem though, putting together a talk about passwords and emails, but keeping it interesting, is tough. So we’re put together some notes here about how we pull it off.
If you’d like to know more about our specific offering – then get in touch.
Getting Security Awareness Training Right
Whilst our Security Awareness Training can bespoke, and we often tailor it to the specific needs of the customer, we’d recommend considering at least the following topics:
- Hacker Motivations
- Social Engineering and Phishing
- Physical Security
- Secure Remote Working
- Wireless Security
- Passwords and Multi-factor
We’d of course also recommend offering role-specific training modules, such as ensuring the Data Protection and GDPR are included for roles that are likely to interact with personal data. As well as more in-depth technical details when delivering to IT teams or Software Development Teams.
We’ll give a breakdown and overview of how we cover these topics in just a moment, before we do it’s worth pointing out a few of the failings we’ve seen in other security awareness training offerings so that we can discuss ways to avoid them.
Firstly, we find the “Do as I say” approach to be flawed; that is the approach where security awareness training is simply delivered as a link of rules “don’t click links in emails” or “don’t use short length passwords”, without an explanation as to why that is the case. When we deliver security awareness training we use ethical hackers as our trainers, so that we can go into the why of each rule. We aim to show staff what can happen if the rules aren’t followed so that they better understand the importance of the topic and so that it’s more memorable – for example we discuss in simple terms, how passwords are captured and how phishing campaigns are put together.
Secondly, we find that a lot of security awareness training is simply outdated, or poorly fitted to the organisation. Outdated training might not consider changes to attacker capabilities, or new protection technologies that are available, putting your staff at a disadvantage.
Finally, poorly fitted training might waste time talking about corporate mobile device security – to a company that uses BYOD – or might was time talking about security in the company office – to a fully remote team. Risks and mitigations cannot be broadly applied and should be at least tweaked, if not fully tailored, to the audience.
Speaker Profile: Holly Grace Williams
Holly Grace has delivered cybersecurity and security awareness training to hundreds of delegates throughout her career, with a key focus on delivering cybersecurity training for SMEs.
She has spoken publicly about cybersecurity and security awareness on both Sky News and BBC Breakfast, as well as at many events such as Infosecurity Europe, TEISS, DTx, and Scot-Secure.
She was included as one of SC’s “Women of Influence” in the “30 Top Cybersecurity Leaders” of 2021 and 2019; as well as being awarded Computing’s Security Woman of the Year award in 2018.
Holly Grace has fourteen years of experience in leading information security teams. She holds a Master of Science in Information Security and Privacy, from Cardiff University and is both a CREST Certified Penetration Tester and a Cyber Essentials assessor.
Very often security awareness training just jumps straight in to talking about “Security Rules” without establishing a baseline as to why security is key to all organisations. We’d recommend opening with discussing different threat actors and threat groups as well as the motivations behind what they do. Many staff members have the view “Why would anyone try to hack us?” and often this just comes from the fact that they’re not aware of the huge range of motivations from bored teenagers with a lot of time on their hands to state-affiliated groups. There are so many reasons hackers might target your organisation that it’s critical to make sure your staff understand the different goals these groups might have. Plus, it’s a great way to grab people’s attention from the start.
Social Engineering and Phishing
Scams and social engineering is a huge topic, and we should point out straight away that it’s not just malicious emails – we’ve seen everything from social engineering over social networking to, believe it or not, a phishing fax. So we start with the range of malicious communications that can occur, why social engineers might target your organisation, and what they will be looking to gain.
We also dig a little deeper than a lot of training offerings, by looking into what happens next when someone falls for a social engineering scam – for example, we look at what actually happens when you click a malicious email link. We also cover a range of social engineering scenarios, from the common “Your account is locked, click here to unlock it” to more interesting examples or previously seen spear phishing campaigns.
This also a great time to pull back the curtain a little and include a hacking demo – to show what it looks like from the other side. Attack Demos are often more memorable that a plain slide deck and can help staff members understand just how quickly these attacks can take place.
The physical side of security is often the most overlooked side to security awareness, and it’s one of the areas that should be the most tailored. The risk differs greatly for those who work at a desk in an office, compared to those who work from home, and those who might work on-the-road. We start this section with examples of physical access testing, where we’ve successfully compromised companies through physical techniques – from sneaking into office space to targeting staff members at events. We cover the basics, such as what can happen when you don’t lock an unattended device, to ways we compromise whole organisations given physical access to their office space.
We also talk about how trying to get staff members to challenge people in the office is unlikely to ever be effective, and alternative approaches to close this gap in your physical security.
Secure Remote Working
There are also a lot of things to worry about when it comes to working from home and working on-the-road. So we cover protecting data on untrusted networks, the benefits and drawbacks of virtual private networks (VPNs) and how staff members can protect themselves wherever they are, if it’s the home-office, a hotel room, or a coffee shop. The modern workforce is far more distributed that it has ever been, and this changes things.
Thankfully, the risks of “open” wireless networks are quite well known now; we tend to find that staff members are already aware of the risks of using coffee shop WiFi and how attackers can eavesdrop on network traffic. However, many staff members don’t apply this knowledge to networks that aren’t open, but still should not be trusted – such as WiFi in hotels and shared/co-working spaces. We cover the range of risks that wireless networks bring, plus the differences between “open”, and “secured but untrusted” networks, as well as alternatives such as mobile data connections.
Passwords and Multi-factor
Finally, it’s not the section that people look forward to, but it’s important. Talking about passwords is boring – so we approach this topic a little differently. We open this section by talking about password attacks. We cover the same guidance, such as why longer passwords are more security and just how much impact does password complexity actually have, but from the point of view of an unethical hacker trying to break into your systems. Password cracking attacks these days are incredibly quick, especially given the fact that attackers have access to cloud resources, so we demonstrate it. Staff members will get to the end of this section with an understanding about how passwords can be broken, how to choose more secure passwords, how multi-factor authentication can help, and the benefits and drawbacks of technologies such as password managers. All in an engaging way focused on real-world applications and risks.
Finally, we recommend leaving a little time at the end for an open discussion. One of the major benefits of getting the Akimbo team in to deliver in-person, or remote, security awareness training is that your have an expert in the room to answer questions and to give more detail where it’s needed. If you’re booking multiple sessions in one day, to ensure that all of your staff are trained, we recommend leaving a short gap between the end of one session and the start of the next to let your team talk to our security experts and to get as much as possible from the training.