Developing The Human Firewall: Implementing Effective Security Awareness Training

A statistic that most of us will likely have heard in the past year, is that a staggering 90% of security breaches are caused by human error. Whether this is by users clicking on malicious emails or mistakenly disclosing sensitive information to a fraudster. 

To tackle this issue, organizations are increasingly implementing security awareness training solutions that are aimed at educating and training employees to spot malicious emails and attacks, and to think before clicking.

Security awareness training often uses a combination of online training materials, courses, quizzes, and minigames, paired with phishing simulations. These are fake “phishing” emails that security teams can send out to test their users’ knowledge in a safe environment, often using real-life phishing examples that their business has experienced. 

Founded in 2018, Boxphish is a UK-based security awareness training provider. They deliver an automated security awareness training solution for organizations, that includes both training courses and simulated phishing emails.

We spoke to Nick Deacon Elliott, VP of Sales & Operations at Boxphish, to find out more about the current issues in the awareness training market, as well as how organizations can best approach training their users. 

“We’ve seen a big boom in the last six months, with organizations adopting security awareness training that previously didn’t have a training solution in place,” Deacon Elliott tells us. “People are starting to see the importance and value of having an empowered and trained workforce.”

But what are the best ways for organizations to empower and train their users?

Bringing Content To Life

Traditionally, one of the key issues for end-users when it comes to awareness training has been unengaging content and dull methods of delivery.

“Traditional data and InfoSec methods of learning aren’t that well-received among users,” Deacon Elliott explains. This is especially when training is delivered via hours-long, unengaging PowerPoint presentations, as a one-off once a year. “That’s very low value, in terms of the information that gets retained by the end-user.”

Instead, the best way to deliver training is via bite-size, ongoing segments, as opposed to long, one-off sessions. And for maximum engagement, awareness training should be relevant to not only a user’s workplace environment, but personal life too.

“Looking at your personal digital life, key concerns are shopping online safely, avoiding phishing attacks, managing passwords, working from home, setting up Wi-Fi, and more. So rather than focusing solely on workplace environments, at Boxphish, our content looks at a user’s entire digital life.

“We break that content down into modules that play around five minutes each. The first half of the session is an engaging training video, and for the second, a multiple-choice set of questions or interactive game.

“Our content brings the training to life—rather than users watching a few slides and switching off a few minutes in,” Deacon Elliott says.

So, why does Boxphish steer away from longer training sessions and, instead, opt for shorter, bite-sized pieces of content? For Deacon Elliott, it’s about finding the right balance for users, and being as least disruptive to their daily lives as possible. 

“If training is too frequent, it won’t be well received. Everyone’s busy!” he explains. “Instead, it’s about implementing digestible pieces of training. And for us, once a month feels about right.”

Understanding The “Why”

At the heart of any strong, security-aware organizational culture is an understanding of the responsibility each employee has in keeping both themselves and their organization safe from cyberthreats. 

“The responsibility of the system sits with the IT team,” Deacon Elliott says, “but in terms of end-user behavior, it’s very difficult for the IT and security teams to control that. 

“Around 90% of successful cyberattacks are caused by human error—be that someone clicking on something they shouldn’t have or giving their credentials away. So, we believe it’s important for everyone to feel accountable for what they do behind their PC. Then, as a collective, that organization will be in a far better place.”

But how can organizations best encourage this collective responsibility in a way that drives it home to users?

The “why” should be explained to end-users at the point of launching a program, Deacon Elliott explains. Why are organizations implementing phishing simulators, and mandating that they sit through ongoing training videos and courses? And how does it ultimately impact not only the organization, but them as individuals? 

“Everyone knows somebody who’s been impacted by fraud, or a scam, or cybercrime of some kind. We see in the papers—almost daily—huge ransoms being demanded, companies going bust, and the fallout from data breaches being astronomical. And real jobs are at risk as a result. It’s a real threat, a real problem,” Deacon Elliott says.

“I don’t think there’s any kind of reasonable end-user who wouldn’t put in the effort to keep themselves safe online if they understood these risks and the ‘why’.” 

But as well as outlining the risks to users, it’s important to outline the benefits too. 

“You’ve got to remember that the great knowledge you’re picking up from the training is just as effective and important in your personal life as it is in your work life,” Deacon Elliott adds. “There’s a shared benefit.”

Leading With The Carrot

So, how can organizations emphasize this shared responsibility across all staff, while also ensuring users are in an encouraging environment—as opposed to one that punishes and blames them for mistakes?

“You can’t be leading with a punishable kind of culture,” Deacon Elliott advises. Alongside ensuring end-users understand the “why” early on, it’s also important to deliver remediation in the right way. 

“It’s around the positioning. If, for example, an end-user clicks on a phishing simulation and they’re put on a naughty list in the staff room or met with a kind of punishment, that is completely the wrong way to go about it.”

Instead, when a user falls for a simulated attack, the training program should highlight to them what they should’ve spotted in an encouraging and educational way. The training should then provide them with the extra support that they need to avoid making the same mistake in future—through education and encouragement, rather than punishment. 

“It’s not about leading with the stick—it’s around leading with the carrot,” Deacon Elliott says, “and reinforcing the message of how important the training is while encouraging good security practices.”

So, how does Boxphish’s solution work to encourage good user practices?

The Boxphish Solution

“We deliver solutions to develop the human firewall,” Deacon Elliott tells us. “In terms of key challenges that we help our customers address, it’s initially just identifying any vulnerabilities or weak points within their organization and addressing those.”

There are three key stages to the Boxphish solution. First, is identifying these underlying issues. Second, is rolling out continuous bite-sized learnings to users once per month—additional training can be given to those who click on simulations and require the extra support. And third, is pulling this data together into a comprehensive report. 

“We refer to the initial process as a human pen test—we run a series of attack simulations that show us what’s going on at that organization. We can then design an effective program to start plugging those gaps.

“We can then pull all of this data together and deliver what we call our ‘Human Risk Report’, which is a dashboard showing vulnerabilities and areas for improvement across the organization.” 

The solution is also tightly integrated with Office 365, and is not only non-invasive for users, but a pain-free experience for admins.

“Time isn’t often a spare commodity,” Deacon Elliott tells us. “We understand that CISOs, CIOs, and IT managers are all pulled from pillar to post—particularly over the last 18 months with the pandemic. And so, we’ve paid a lot of attention to making our solution as admin-less as possible.

“What we’ve done is invested heavily on the automation side. So, you could spend about an hour setting up our platform, and then that could run without you touching it again for over a year, easily.” 

Advice For Organizations

With an estimated 7 in 10 businesses currently not investing in awareness training or education for users, Deacon Elliott’s advice to these is to be proactive. 

“We hear far too often about organizations believing that they aren’t a target, and that they don’t have valuable or sensitive data. And it’s completely the wrong mindset,” Deacon Elliott tells us. “You don’t need lots of payment details or sensitive information for your data to be valuable. If your data is essential for you to run your company, then it has value.

“So, my advice is, firstly, don’t think that you’re not a target—because everyone is. And, secondly, look at being proactive and getting on the forefront of the issue.

“I think we’ll see more businesses adopting awareness training in the future. And I wouldn’t be surprised if it becomes more engrained into compliance regulations and insurance policies.

“Awareness training should be part of a company’s DNA, particularly if they have remote workers that don’t have the IT team in the same building.

“At Boxphish, we’ve got a great product, great people, and we can add a lot of value very quickly.”

Thanks to Nick Deacon Elliott for participating in this interview. If you’d like to learn more about the Boxphish platform and how it works, visit their website here: https://www.boxphish.com