At RSA Conference Europe recently I did a joint session entitled ‘Training Employees to Recognize and Avoid Advanced Threat’
No matter what security technologies are implemented, every organization’s greatest vulnerability is its people. Social engineering is a predominant aspect of advanced threats and finding ways to increase the effectiveness of user training has become imperative. Traditional training methods, including courses and videos, don’t involve the user in active defense. Training mechanisms need to make the threat real for the user, engage them in actively defending the organization, and drive home the message that users could be personally responsible for a major information breach. Innovative training mechanisms, including simulated phishing and gaming, are widely being trialed and deployed by organizations to help users understand how advanced threats work.
One of the issues that was raised was one that most global organisations are probably familiar with but need to get better at and that is – Culture! While in some countries employees may be motivated enough to complete the mandatory training and may voluntarily want to excel and become a certified ‘human firewall’ or obtain a gold badge in the relevant training. However, it was clear from the audience that in some cultures obtaining an extra certification or a gold badge would definitely not be a motivation to complete the security user training.
So, the debate goes on – How do you get a global organisation to have a consistent level of security training?