Proactive vs. Reactive
A lot of clients come to us in crisis: “Help! Too many of our employees are falling for phishing scams!” or “Help! We got breaches last year!” or “Help! We didn’t pass compliance and need to train our users!” They reach out to us, panic in their voices and desperation in their eyes because they see dollar signs and lost trust from their own customers. To them they’re in a sinking lifeboat full of holes and need us to fill those holes with plugs as fast as we can.
We also have a lot of clients come to us in a less panicked state who have seen their peers get breached and don’t want to end up in the news stories. They are still on a tight schedule, sometimes trying to get in under a deadline to impress an exec or beat a compliance deadline, but they haven’t been hit yet and want to keep it that way.
Both ways – reactive and proactive – result in awareness programs. But which way is better?
Obviously, in an ideal world we would prevent any bad things from befalling us or our companies. Much in the same way that we try to eat healthy to prevent high cholesterol or weight gain. But that doesn’t mean that after that bad thing happens – going over our goal weight or being told we have high blood pressure – is the end of the world and it can’t be rectified. We change our eating habits and after some time we see the numbers go down.
It’s the same with awareness training. We should try to prevent situations from arising by teaching our users how to create strong passwords, how to recognize social engineering scams, how to prevent personal identity theft and why data classification is so important. But if something does happen we should also react with training – not as a punishment, now – to reiterate lessons we’re already teaching and to correct unsecure and careless behavior.
Below have listed a few tips and tricks to help with both reactive and proactive training methods:
Use minor mistakes as learning opportunities. If someone forgets their badge, can’t remember their password, or neglects to lock their desktop screen before getting up, these are not huge infractions but can be a good opportunity for you to remind them of policy.
Phish your employees and require additional training for anyone who fails. This is an immediate reactionary, defensive form of training since the person who falls for the phishing email will receive an immediate learning opportunity and see what they did wrong.
Require training for the whole group, not just the offenders. If something bad happened at your company and everyone knows about it (an insider gone bad, a data breach, an outside attack, etc.) let the employees know that is the reason for the training. That one bad apple does spoil it for the whole bunch. No one will want to be the bad apple.
Teach them how to protect themselves and their families. People care a whole lot more about themselves than they ever will about the company they work for, so give them some useful information about securing their own lives and protecting their own privacy. At the end of the lesson just be sure to give them a nudge and say, “Hey, by the way, all this stuff we’re teaching you? Do it here at work too.”
New Hire Training is a must. “Start ‘em while they’re young,” is something we’ve all heard about teaching kids from a young age about whatever particular subject matter is at hand. The same is true for new employees. Don’t wait until they’ve been there six months. Catch them while they’re new and absorbing information about company policy. Hit them with awareness training from the get go to ingrain it into their daily work behavior.
Once-a-year won’t cut it. For all of the employees who have been there more than a few months, don’t just rely on a yearly compliance review. Remind them regularly of policy, of best practices, of why security awareness should be at the forefront of their minds in everything they do. Remind them monthly, quarterly, and yearly.
Cover all your bases, not just the one with a runner on it. If you do have a recurring problem – let’s say people falling for phishing attacks – then you should definitely train them to avoid those. But don’t neglect the other dozens of important security topics. Cover the basics, across the board, in all the domains – cyber, physical and human. Think about it like when you learned to drive: even if you didn’t live near a highway, you should still learn to drive on one, and even if your drivers test doesn’t require parallel parking, you should still know how to do it. It’s the same with security.
Latest posts by Ashley Schwartau (see all)
- Here I Am: My Unexpected InfoSec Career Path - May 30, 2017
- Harry Potter and the Security Prophecy - May 4, 2017
- Use Gamification to Drive Engagement with Monthly Newsletters - January 12, 2017