Two approaches to improving staff IT security awareness:
One - put them all in a hot, stuffy training room and get someone to walk through a 50-slide PPT deck once a quarter.
Or, ask them to watch a ‘Netflix-series’ look and feel 12-episode video series you roll out weekly and which gets everyone so hooked they can’t wait for the next instalment - even though its content is all about supposedly dry topics like social engineering, password best practice and social media no-nos.
We’re going to guess the latter, and it’s certainly the view of senior systems administrator Jonathan Flack, who decided to try a new approach to improving IT security in his organisation, using e-learning materials provided by a Florida-headquartered provider called KnowBe4, which markets itself as a combined security awareness training and simulated phishing platform.
Flack says he tried both ways of improving user security awareness and now, definitely knows which one he prefers. A big eye-opener for him was internal reaction to one such ‘series’ - ‘The Inside Man,’ content deliberately crafted to be an entertaining, movie-like experience for users to make learning how to make smarter security decisions fun and engaging. Really!
For Flack and his IT colleagues, this is definitely now the way security training really has to go. The organisation we’re talking about here, by the way, is a Cork-based non-profit called The Irish Cattle Breeding Federation (ICBF), which has a twin sister based out of the same offices called Sheep Ireland.
Their respective missions, for the Irish cattle and sheep sectors respectively, is to provide breeding information services to the Irish dairy and beef industries. With 90 employees across two physical sites, its twin ‘brand’ Sheep Ireland also has a separate job of increasing the rate of genetic gain in the Irish sheep sector by identifying and promoting the use of rams with more profitable and sustainable genetics. But even though it’s a world leader in cattle genomics staffeed by clever people, ICBF/Sheep Ireland had the same problem as, let’s face it, many other organisations human beings work in: too many dodgy emails coming in that promise alluring things.
Despite having anti-virus and anti-malware firmly embedded, user behaviour was still allowing too much phishing, in other words, Flack told diginomica/government:
We were seeing around 37% of these types of emails being opened, which just wasn’t acceptable.
He also notes that the general level of security culture was pretty low: the click-through rate on phishing links was that high as people would frequently log into their colleagues’ email and open a phishing link out of curiosity, he believes, while passwords weren’t being changed regularly and were being shared with colleagues too much anyway.
Naturally, Flack and his team tried to improve user capacity around security, and brought in a training supplier so to do. The problem: it just didn’t engage his users - which meant that it was not just an inefficient use of investment, but his workload stayed basically the same, as he was still having to keep reiterating security awareness basics all the time.
They just didn’t want to do [the training supplied]; they didn’t like it, they didn’t enjoy it, and they didn’t see the need for it.
The good news is that after a market investigation into better options, Flack seems to have genuinely identified a new way of trying to do this.
Our new security training campaign has definitely better equipped staff with the tools needed to acknowledge IT security threats inside and outside the organisation.
There are a number of metrics I can use to show this has been a real success, with the most important one perhaps that the ratio of phishing emails that get inside the walls has dropped from that far too high 37% to more like 2% this quarter.
So I can say it’s definitely changed behaviour. A colleague in Finance told me how she’d been called up by someone claiming to be from the bank, but because of the information she got through that ‘Inside Man’ series. So she got rid of them very quickly, and she was really proud of having been able to spot the social engineering attempt herself! It’s great to see so many ‘light-bulb moments’ now, when they see or hear of security threats.
Set up of the internal training portal was really easy, and inside a day I had the entire list of training candidates ready, a full plan for all the content I wanted to start offering for a three-month basis, and a much larger selection of material, too.
What we spend with KnowBe4 is less than with our previous training provider, and we’re getting a hell of a lot more bang for our buck.
Sadly, those new iPad mails don’t get opened any more
Well, that might be a matter of a perception from the top… what’s the actual reaction across the company? While undoubtedly probably more IT-savvy than all the team, for his colleague Erin Kennedy, senior business analyst, it’s firm thumbs-up for this way of working:
The new content is interesting and engaging, and has made me more security-aware both at work and at home. As employees, we're definitely more aware all round now, I think.
For Clive Donovan, systems administrator at these twin Irish non-profit organisations, summing up the impact of this way of delivering IT security training is very simple:
This has been a very effective way of increasing IT security awareness, as it is so much more engaging for people.
The verdict seems clear:
You can keep banging on at users not to open those Lottery and new free iPad emails if you want to.
But you really might save yourself some time and trouble - and improve your overall information hygiene - if you find better ways to get the message over?