Stay Informed with the Gone Phishing Podcast | Phin

How to Improve Security Awareness Training

Written by phin | Mar 7, 2024 8:30:23 PM

Transcription:

Connor Swalm

Welcome to Gone Phishing, a show diving into cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swam, CEO of Phin Security and welcome to Gone Phishing. Hey, everyone. 

Welcome back to another episode of Gone Phishing. I'm your host, Connor, CEO at Phin Security and today we're going to be chatting about how to improve your security awareness, training for your clients at an MSP, and more importantly, reduce the risk. Reduce the risk of a breach. That's the reason we use tools, that's the reason you all provide security service, is to reduce the risk that your client is going to have a successful breach. 

So one of the biggest problems I usually see is struggling to get buy in from the clients when it comes to awareness training, deploying it, buying it, you could use any variation of those. But getting a client to buy into an extent where they're willing to pay for you to provide a security awareness training program to build it, deploy the tool, manage it, whole nine yards, there's usually a couple of things MSPs struggle with. First and foremost is communicating value. 

So when it comes to stories that I've heard from partners of ours and partners that are not partnered with us here at Finn is the biggest complaint that people tell us about is, oh, I don't need this. I'm not the risk. And so maybe you were in a conversation just like this where you're talking with your client, you're like, hey, Mr. Or Mrs. Stakeholder, you need security awareness training. You need to be more secure. You need to do phishing, you need to get all these videos, you need to have training on these topics. And their immediate response as the leader of an organization is to say, I don't need this. I'm not the problem. And in the back of your mind you're thinking of a few things. 

First is you're the person at the top of the organization, so you are quite possibly the most targeted individual. And then secondarily, if they haven't set up their access correctly or if they haven't been using you to do that, they're also the person with the most access to sensitive information, access to other people's accounts or even the money of their own company. So as a result, not only are they the most targeted, but they are quite possibly the richest target at that company for any malicious actor to end up targeting. And so what you get is there's the stakeholder that believes they're not going to be targeted, that they have nothing of value to steal. And the reality is they are the most targetable and they are the most valuable person to target an organization. 

So it's like kind of very disparate in reality and their perspective. 

And usually when this conversation occurs, I don't hear people explaining, or rather they're not telling me the stories of how they then explain this to the stakeholder. A couple of things that we've done is we've made it very clear you're not going to get long and obtuse training unless you demonstrate a need for it. So unless you're actively giving away your credentials, or unless you are actively getting fished, or unless you are actively behaving. 

In some other way, that generates additional risk for the business. You're not going to get additional training to prevent it because you've not demonstrated a need for that. And we haven't found one. 

The second is I still hear a lot of people of using acronyms, even I'm guilty of it at some points. 

Because saying the words security awareness training, that's a lot of syllables. So sometimes using that, not something I want to do. However, I'll draw from an experience I had in college, is when I was talking to anyone about any math that I enjoyed or any subject that I was learning, I needed to talk about it in terms and at a level that they understood. It was my job to bring my knowledge and my expertise, which is all of you with great experience in it and great experience in security and providing all of these services, sometimes for multiple decades in a row. You need to find a way to communicate to a person who's not as technical, who has another business of their own, who's doing other things. But you need to communicate to them in such a way that they understand exactly the value that your business provides. 

So all of this culminates in if the stakeholder is not going to get excited, if the stakeholder is not going to get involved, and you can't communicate them to them in such a way that they understand the value of an effective awareness training program. What do you think is going to happen to the people that report to that stakeholder and that client? What do you think is going to happen to the newer employees? What do you think is going to happen to just the people who show up to their job? They want to be safe and they want to do good work. 

If the stakeholders not bought in any way, shape or form, and I've seen this time and time again what will end up happening is that the end users, the folks at the company that really need to buy in and understand the threats that surround them. 

On a consistent basis, they don't care. They're not going to end up caring about it because it's not impressed upon them. Why are we doing this? Most of cybersecurity to most people is this black box of complete misunderstanding. They have no idea what any of the acronyms mean. 

They have no idea how it works. 

And frankly, they also don't want to. They don't care. And it's our job as practitioners to explain it to them in such a way that they do have a little bit of understanding of how things work. Why is multifactor authentication important? And if you start using acronyms to explain that, as opposed to saying something along the lines of, well, if your password gets stolen, that other thing that you need to get into your account isn't stolen just yet, so they can't get in with just that piece of information. 

If you're not explaining it in ways like that, and basically terms that are going to get them to care and understand about things, it's just going to fly right over their head and they're not going to buy in. 

So what are some things you should be focusing on to reduce the risk of a breach? When it comes to awareness training? First and foremost, a lot of buying decisions for awareness training that our partners tell us about are driven by one of two things right now. So there's two things that drive it. It's cyber insurance will require it directly, or there is a compliance framework that you or your client hold above and beyond all others and you decide to be compliant with that. 

If you don't have a security framework. That you genuinely, I guess, genuinely care about or want tout, as a good approximation to follow, you could look up CIS controls and 800 Nistane higher. 171 is a good place to start. Right? 

That's a good starting line. And then, especially if you're getting into the CIS controls of, like, if you're getting into implementation group two and implementation group three, you can actually create some additional security above and beyond a baseline. So compliance, cyber insurance, that drives most purchasing for awareness training. 

So what I'm trying to get at is what is not driving the purchasing decision, but should is a culture of security that aims to reduce risk. And so a culture of security would look like people not ignoring the training that's getting put in front of them. Understanding basic security principles, even though it doesn't have anything to do with their direct job description. What I've seen companies do now that I think is actually really cool is they will put into the job description that part of this employee's job is to conduct themselves safely and securely from a cybersecurity perspective and they'll actually put.

It's your job to understand basic cybersecurity principles so that you can implement them on a consistent basis and keep the company safe. And I think that's really cool if we're bringing security to the forefront of an average individual's mind, of a person who just wants to show up to their job and do great work and quite possibly is not even technical, and their job doesn't require that they're technical in any way, shape or form. If we're bringing their mindset into this and setting that expectation from the very beginning that they have to conduct themselves in certain ways because it reduces risk. Because it'll allow the business to move forward in the event that there is a breach, there's not going to be an incredible interruption in business activities. 

So basically what I'm trying to get at is the greatest thing you could do to actually reduce the risk of a breach is to create this culture of security. I'll say one of the greatest. I won't say the greatest. 

Right. 

There's always many things you could do, and every client and every environment is vastly different. But creating a culture that all the way from top down, stakeholders have bought into, then their direct reports, I. E. The managers have bought into, and then the employees have bought into, is very important. 

One thing that we do at Phin is we create a welcoming program before the training, before the phishing, before the security awareness pops off in any way, shape or form, it's, hey, you've been enrolled. Give them a little thumbs up. 

Says, this is exactly why you are enrolled in this training. You're enrolled in it because it's super important. You're enrolled in it because your leaders at your organization have bought into it. 

And really understand that it's a great way to reduce risk and keep the business afloat in several different ways. And here is exactly your piece in that. You're going to be expected to do training on roughly these topics because these are incredibly relevant to keeping you secure. 

And as a result, keeping the business secure as well. 

And then if you fail assessments, if you don't do well in the quizzes. Here's what's going to happen. If you do well in the quizzes. If you demonstrate that you're going above and beyond and you really recognize and understand cybersecurity above and beyond what we expect. Here's exactly what will happen to you. 

So it's just bringing the program to the user and saying, hey, here is what's expected of you, here is a description, and here's frankly just what we need from you for these reasons, and being that honest with people, has a great impact on their ability to buy in. 

So if I had to give a list of three things that you could do to get started in that, I would say first and foremost, sell the value and the relationships. 

Don't sell the tool. So don't say, hey, we're implementing x awareness training tool. 

Like, don't even say you're implementing Phin, if you're listening to this and you're a partner versus just, hey, we're implementing security awareness. It's going to introduce some topics, it's going to introduce some training, it's going to introduce some simulated phishing, simulated social engineering to your employees. We're going to try to understand are they capable of recognizing threats that are going on around them consistently? Are they well trained to handle them when they do occur? 

And if the answer is no, well. 

We're going to work on that. We're going to give them additional training, we're going to fish them in additional different ways, and we're going to teach them what it actually looks like. You sell the value, don't sell the tool that you're using. 

Second is be a security expert or hire a security expert or partner with one. You don't need to be an expert in everything. So if you don't understand something yourself in security, how possibly when you're communicating to your client, can you expect them to understand what's going on as well? It is no shame to end up partnering with a security expert or consulting with one. VCIOs are incredibly popular, which feels like it's gotten a lot more popular in recent years. That's largely due to the increased importance of cybersecurity and recognizing that there's a gap, that there's a lot of things you don't know. 

And third is experiment with bundling services and tools. What I mean by that, you can always build a custom fit solution to your clients. You can always let them pick and choose things. But however you are this trusted resource, you need to be this expert. You need to be able to recommend here is exactly why I think you should do X, Y and A and B and C and nothing more, nothing less. Because it'll create this level of security in your company. And so if you have a bundle. 

Whether it's split into three tiers, you have the basic, you have the advanced, and then you have the business advanced. Or something like that. Three levels that create different levels of security, different levels of oversight that will have different services included in it that you'd like to offer. Start experimenting with that and see what your clients expect. Maybe go ask some of your trusted clients what they would have done or how they would perceive things if you would have presented them with a plan that was custom fit to them. 

So those are the three things that I would recommend you do to start. 

Implementing awareness training today is sell the value, be an expert or partner with one at the very least. And the third is bundle it into your tools. Don't offer it as an ala carte awareness training if Verizon's data breach and investigation report is accurate and it is interpreted correctly, 88% of breaches involve a human doing something they shouldn't, having their credentials abused, or some variation of a human making a mistake. So it's an incredibly important thing that needs to be addressed. 

If you have any questions, feel free to reach out wherever you can find us on LinkedIn or on our website. Website will be in the show notes it's P-H-I-N-S-E-C dot IO. Always happy to chat, always happy to educate. And you can find a bunch of videos on topics around security awareness on YouTube as well. Once again, I am Connor, CEO at Finn, host of the Gone Phishing podcast, and I will see you next time. 

Thanks so much for tuning in to Gone Phishing. 

If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits then check us out. Phin Security at Phinsec.io. That's P-H-I-N-S-E-C IO or click all of the wonderful links in our show notes. Thanks for fishing with me today and we'll see you next time.