Setting Up A Cyber and Email Security Awareness and Training Program

I was getting a coffee the other day and, as I usually do, I pulled out my phone to use its paypass feature. The barista seemed concerned about it, asking “aren’t you concerned about your account’s safety using that thing?”. I thought about it for a moment and concluded that I wasn’t, but that this was the case because I understood the protections that are in place to secure my virtual wallet. I know that my fingerprint and password function as 2FA (2-Factor Authentication) if my phone is stolen, that the tap of my payment device doesn’t work for over $100 at a time and, if hacked, I know that the banks have a “backup plan”, daily limits, that there are additional functions in place to predict and prevent uncharacteristic purchases, with many more security features along the line that give me confidence in using my phone’s paypass function. You could say I have banking security awareness.

In a similar vein, I know how to recognize a phishing email, know to use MFA (multi-factor authentication) when financial transactions are required, and I know that I can trust the technology in my company’s secure email gateway (e.g. URL and Attachment Defense, Spam Filters, Advanced Threat Protection, Archiving, Encryption, Dual-Layer Anti-Virus) to protect me from a majority of the threats by which I may be targeted at work. While this knowledge can empower you and your coworkers, not having it can only create a fearful or haphazard environment. Worse yet, beyond a fearful environment, you could be struck by one of the same attacks that seem to make headlines every month, potentially paralyzing your organization.

What is Good Cyber and Email Security Awareness Training?

A good cybersecurity awareness training strategy primarily does 2 things – raise awareness among and provides preventative training to an organization’s users. We will discuss email security training in a follow-up to this post – for now, we want to discuss the fundamentals of raising cyber and email security awareness within your organization.

It’s hard to stay on top of the cybersecurity landscape. By design, hackers and cyber criminals are intent on exploiting human error. Their exploits aim to stay ahead of the curve and play on your data’s biggest vulnerability – its users. With a good cyber and email security plan, you can cut down the risks of being victimized by an attack to nearly 0% (this assumes, for one, that more than 99.95% of malicious emails are blocked before reaching your users). Eliminating human error is the biggest challenge in this process, especially in face of advanced social engineering tactics used by cyber-criminals. This makes cyber and email security awareness and training imperative to mitigate the riskiest behavior within your organization.

The Greek Philosopher Heraclitus was famous for saying “The way up is the way down”. While we don’t necessarily know if that means anything (or if it’s supposed to), it does offer a simple model for how to approach your organization’s cybersecurity holistically – looking at your security and awareness from both the top-down and bottom-up approaches – ensuring that you put forward a team effort to stop incoming threats, however they may reach your organization.

The Top-Down Approach

Within any plan, you need senior buy-in if you expect your agenda to get support. Budgets are needed for security services, backups, pizza for training sessions and more. Updated password policies, remote working policies, and software that may need to installed network wide, all require time, money and effort for successful implementation. Even more importantly, it can be a challenge to modify the behaviours of those in your C-suite, who are the most targeted individuals in your company. They are constantly on the go, receiving 100’s of emails daily, making split second decisions and may not always be open to changing their habits. On top of that they will be the ones approving the transfer of funds – where a business email compromise or targeted phishing attack can really hurt the bottom line.

The best way to get buy-in is by using “both the carrot and the stick”. The carrots include: proactively protecting your organization from threats, the great impact on the bottom line if you’ve already fallen victim to a small attack or reducing other time-wasting security incidents and, of course, the aforementioned free pizza at training sessions. The sticks are pretty straight forward: Just read this FBI report, or this post on business email compromise, or download our whitepaper on cybersecurity trends to understand the real risks that every organization faces today from organized, determined and cunning cyber criminals.

The Bottom-Up Approach

With C-suite buy-in in place, getting your colleagues or the company’s employees on board is an important next step. A few frightening numbers and pizza can only get you so far. If you are going to get broader buy-in from all the participants in your organization, you’ll need to transparent about the whole process. At one point or another, many of us have worked in companies with strict password policies and monthly resets, never understanding why they are put in place. Users need to not only know, but also understand the worst case scenarios.  Engage your teams in the process, explain how every step along the way is essential to the process.

To be blunt, “the stick” here may require you to give pause to your team about some of the negative scenarios they may face, including lost time, productivity, even jobs – and anywhere from thousands to millions of dollars stolen based on single attacks or weak points. After they’ve realized how important it is to adopt habits that prevent these attacks from taking place, give them an empowering message about how, with the right action, cyber criminals are nothing to fear. How do you do this? Consider the steps we offer below

Becoming an Internal IT Thought Leader

IT can be a difficult subject for many non-tech employees, and even those within the space, to grasp. Every time a WannaCry, ROPEMAKER or other trendy attack makes headlines, or a DNS attack hits and takes down chunks of the web, most people look to IT for feedback, for understanding about what there is to fear. While these threats may not often affect your organization directly, they present great opportunities to put together an important thought piece for internal communications. Use statistics whenever possible to explain the scope of attacks and how they affect the organizations involved. Data is always useful in communicating the effectiveness of your own solutions. How many malicious attacks were stopped by your email filter? How do new attacks compare to previous ones? What are some of the craziest and unbelievable attacks of the year that your users may not have heard about? With these stories, always share how the impact of such attacks could have been avoided. It’s important to be unequivocal in explaining these attacks as well – if you scare them without empowering them, you might scare your colleagues from opening their email, rather than empowering them to report threats.

Monthly Security Awareness

Once you’ve established the credibility of your cybersecurity approach, you don’t have to wait until disaster strikes to communicate useful information on it. Get top level buy in to present at  general meetings, or even send out a quarterly refresher on your policies and new threats that you’ve heard about. People are busy, you can’t expect voluntary attendance – mandate attendance by offering something in exchange (free lunch, chotchkies, other ways of making a memorable impact while getting on your colleagues’ good side). Ultimately, these meetings should show examples of victims as well as emerging threats and how to avoid them. A little tip here: Work with your own marketing or communications teams from your own company to build a scheduling plan and internal messaging that really connects with your colleagues. Breakdown silos.

Annual Security Reports

At the end of the year, show how your plan is working. How many virus emails were quarantined? How many phishing emails and malicious links were blocked? How many passwords login attempts were blocked from outside the organization? How many incident reports were successfully addressed? How many days since the “last cybersecurity incident”?

Out of the Box: Hack yourself

Want to really make an impact, getting top down support as well as getting your colleagues to understand how we can all be victims? Test your network’s vulnerability your. Send out your own “phishing email” and see how many people in your organization will open it. Make the results anonymous so no one is hung out to dry, but make it clear how many people within your organization fell for your simple ruse, and how much more vulnerable they may be to an actual expert cybercriminal.

Too often, IT is the secretive “big brother”, working diligently in background with no one really knowing all the positive outcomes of their efforts. Simply put, the fact that business operations are functioning can be credited to good cybersecurity. Use cyber and email security awareness as an opportunity to communicate the effectiveness and importance of your work, and give your colleagues visibility on the day-to-day, nitty gritty of your activities. Communicating the details of your daily routine can build greater value in the services being offered by IT teams.