Security awareness is a process for educating, training, informing and socializing information systems security in the workplace and at home. How can a group of professionals talk about security awareness for two days straight? Is there really that much content to cover? Well, yes and yes, there is a growing group of professionals who need guidance in this relatively new area of cybersecurity. This group came together at the fifth annual SANS Security Awareness Summit in Charleston, South Carolina. Overall, the field of security awareness is in its infancy. In speaking with the other professionals who had attended the summit in previous years, it appears the attendance grows dramatically from year to year. In fact, in 2017 tickets were sold out.
It seems the cyber-threat to organizations keeps growing, the industry has spent years hardening computer operating systems (OS) but need to do more to ‘harden the human OS.’ Since technical hacking is getting harder, malicious attackers are starting to target the more vulnerable ‘human element.’ This comes in the form of social engineering, phishing attempts, or giving away free USB drives in the hopes one will get plugged in. Therefore, educating and training the workforce is critical.
So what works? Fun security awareness videos? You bet! A range of videos were on display, from low budget up to a much higher range. These videos delivered a dose of security messaging in a fun and memorable way. We found that the most effective videos were ones that recognized the human side. Instead of drilling facts, figures and fear into the workforce, they focused on getting a positive message across in an entertaining and engaging way. A big take away here is the power of video, instead of slides full of text and statistical details.
One talk highlighted an example of a larger campaign that played on some hacker stereotypes to create an edgy campaign. Even though use of stereotypes or humor can be risky, for this organization the bet paid off. They created a gameshow format, with security questions and hired actors to be the host and one of the participants to make it fun. The end result was that employees wanted to play, and probably learned about security while playing!
Keeping the message simple for the general workforce was another big take away. For example, trying to teach the general public every reason why they must not click on a suspicious link or open unsolicited attachments is not effective. Instead, keep the messaging simple, for example this poster could be placed in digital signage or hung up on a wall:
The message is brief, memorable, maybe humorous, and creates greater awareness then before. Exhaustive slides and explanations can lead to lack of awareness because the workforce doesn’t want to take the time out of their work day.
Throughout this summit they periodically held live surveys. One such survey asked, “How often does your organization conduct a phishing campaign”. A phishing campaign is when an organization will send fake phishing attempts to its employees to gauge how at risk their organization is to phishing attempts. Below are the results:
- 40% phishing monthly
- 34% phishing quarterly
- 5% every six months
- 7% annually
- 14% never
On this same note, some of the professionals in attendance commented that there was a huge decrease in users failing the test after they implemented a “Report Phishing” button to the company’s email application. What this says is that users tend to click the button because it’s easier to confirm if it’s a suspicious email by clicking the button than reporting a suspicious email. Reporting a suspicious email can require forwarding an email to a certain group within the organization. The key takeaway here is to make security easy and reduce the friction for employees to adhere to security best practices.
Another key takeaway is how important it is to consider and research what’s at risk for an organization. Phishing attempts may not be an issue for one organization but sending unencrypted emails with sensitive data might be. Resources need to be spent on reducing the risks that are unique to an organization. Don’t follow the crowd. Even better, work to get metrics from the security incident response team to identify what the trends are. For example, if you have data from before and after an awareness campaign, those metrics can be used to determine if the campaign was effective or not.
The Summit also had an extended workshop in how to Build, Maintain, and Measure a Security Awareness Program, which was a great chance to do some knowledge sharing with people facing similar (and different!) challenges. We were impressed by the different creative expressions of awareness materials there were – we saw comic books, rocks, security blankets and other swag, to elaborate game setups. Adobe’s own Security Awareness Training and Champions program held our own! We also came back with a ton of ideas.
As far as security summits go, this event was more engaging, entertaining, humorous, and human than most others. If this is a space you work in we recommend attending future security awareness summits or conferences, whether they are hosted by SANS or not. Much learning can be obtained!
Security Governance Lead
Sr. Program Manager – Security