Security awareness training (SAT) platforms aim to transform employees into cyber warriors by teaching them security and privacy best practices, as well as how to identify and respond to cyber threats.
An effective security awareness training program can have a huge impact on the way that your employees respond to threats such as phishing and account takeover attempts, as well as help foster a positive culture of security throughout your organization.
But unfortunately, many companies are delivering ineffective training—be that due to uninspiring content, undue pressure to perform well in simulated threat campaigns, or the simple fact that it’s only delivered once a year, which makes it difficult for users to engage with and retain the information.
To find out how organizations can implement engaging, relevant security awareness training that reduces cyber risk and promotes a culture of security, we spoke to Travis Good, Co-Founder and CEO at Haekka. After completing a Master’s in Information Systems, Good joined the cybersecurity world as a consultant, carrying out white hat penetration tests, security reviews and privacy reviews. In 2013, Good co-founded Datica, a security and privacy platform built around AWS to help healthcare companies meet HIPPA requirements for cloud resources.
During that time, Good struggled to find a robust, engaging tool to train remote and hybrid employees around security and privacy best practices. Thus, he decided to create that tool himself. In 2020, with the support of Co-Founder Ryan Rich, Good founded Haekka as a solution to delivering engaging, relevant content that helps hybrid employees make better security and privacy decisions in the work they’re doing every day.
Who are your typical customer base, and what are the main challenges you’re helping them solve today?
Almost all of our customers today are hybrid or fully remote companies. About 80% of them are based in the US, and most of the rest are based in Europe. And they range in size, all the way from about 20 employees up to about 10 or 11,000 employees.
The reason they come to us—and the challenge that they want us to help them solve—is to make it simpler to create, administer and track security awareness training from a management or administrative perspective. And from the user side, they want to be able to integrate that training into the flow of work, which means integrating it into the tools that employees are using every day. That’s our unique sweet spot, from a value perspective.
So that’s the problem that we solve for them. Ideally, we want to improve the way that security training is done so that it’s more engaging, and we ultimately want to improve the security hygiene and security IQ of their employees.
One of the key differentiators of Haekka is that the training is delivered via Slack (as well as your web portal). What made you design the platform in this way, and what benefits does it offer your customers compared to a more traditional LMS?
We wanted to build a platform that was integrated with the way people work and where people work. And today, if you’re a company that uses Slack, a lot of your time is in Slack. If you’re on the Microsoft side and use Teams, then a lot of your time is spent in Teams—and we currently have a Teams app in development.
So, we really wanted to integrate the training into the work that people do every day. We wanted it to look like the notifications that they’re getting in Slack from other applications, or the conversations and messages that they’re sending and receiving in Slack. We wanted it to be what we call “Slack native” so that it would feel like what they do every day, rather than being something for which they were required to create a new login or go to a different application to open something up.
We do offer training on the web, but we find that 99% of our users complete training within the Slack app. So, it really is Slack that’s driving it.
And one of the things that’s unique about what we do is our integration with other apps like Google Workspace and Human Resource Information System apps, and we have a lot more SaaS apps that we’re building integrations for. These integrations enable us to assign training or deliver a tip or security advice—in real time, within Slack—based on the actions and events that people are taking in those apps that may have some type of security or risk implication.
The feedback that we get from doing that, and from having Slack as a sort of anchoring point from a content delivery perspective, is really, incredibly positive. Our customers are excited about it, so we’re excited about continuing to double down on that.
As well as enabling admins to schedule training, Haekka plans to introduce event-driven training in its next iteration. How does event-driven training work, and what makes it so effective?
Our roadmap is really focused on end user SaaS applications, and less on security applications, security platforms or event management tools, which some other security training platforms integrate with.
The reason for this is we find that, for our customers, the vast majority of work is done within these SaaS applications. And when we talk about human risk and employees being the last line of defense, a lot of that is driven by what they do in those applications. So, take Google Workspace as a simple example: When somebody shares a file in Google Workspace, we get an API event—a trigger—from Google. And that then triggers us to send a “tip”—a piece of security advice—to the user. This is all fully customizable, but the default is to send them a tip around file sharing and permissions, and guide them on best practices related to that specific workflow of sharing a file specifically from Google Workspace.
It doesn’t take long for the user to read and engage with the tip, but we’re doing this on an ongoing basis and we’re training them in the things that they’re actually doing.
We have ways to mute or snooze to ensure that people don’t get 20 of the same notifications in a week or a month, but the idea is that we can deliver relevant, hyper-contextual training in real time based on what employees are doing.
And the benefit of this is that people are engaging more with that content and retaining more of it, because it’s relevant to the actions that they’re taking in that moment.
Is your event-driven training delivered in the same scenario-based format as your general security awareness training content?
It’s interesting that you mentioned that! We don’t typically send our default messages and tips around events in apps like Google Workspace, Figma, GitHub, etc., in a scenario format in the same way that our more “traditional” security awareness training or privacy training would be delivered.
But really, it is scenario-driven in the sense that we’re delivering training that relates to a real scenario that the user is currently living through. So, the scenario is that somebody’s sharing a file, and we’re providing them with training around sharing that file. It’s not written to create a made-up scenario, because it is actually based on the scenario of somebody doing something in one of these applications.
The messages sent in our event-driven training tips are fully customizable by admins. But the defaults that we share are things that you would see in like a Google Workspace User Guide. Going back to the example of file sharing, we’d let them know that sharing files publicly is something to be wary of, depending on the type of data in that file and whether that’s something that anybody with the link should have access to. We’d suggest that the user shares the minimum access necessary, and give them some guidelines on how to set appropriate permissions.
In the case of this specific example, there isn’t necessarily a right or wrong answer; there are files that people may need to share publicly—like an image or a public blog post, for example—and there’s no risk of sharing those publicly. But we want them to be able to make an informed decision about that. So, we provide them with guidance and best practices. And a lot of the best practices for those applications come from the actual app provider, be that Google Workspace, GitHub, or anyone else.
Event-driven training benefits end users by providing training in a more relevant context. What benefits does it have for admins, and the organization overall?
One of the really big benefits that admins get from Haekka—not just from the event-driven training that we’ve been talking about, but even from assigning more traditional security awareness training—is that we provide them the ability to put that training on autopilot.
So, let’s take a typical company that wants or needs to do some form of security awareness training as a requirement for a SOC audit. But they also want to be able to deliver continual, engaging and relevant content. In that case—and this is the most common way that a lot of our companies onboard—they’ll sync their Slack workspaces with Haekka, so all their employees will automatically be enrolled into a security awareness course—either one that we provide or one that the customer customizes. As they then add new employees into Slack, those employees are automatically enrolled with Haekka and given their admin-assigned amount of time to complete their training courses.
Whatever that length of time is, we handle the reminders, collect the evidence, generate certificates—we do all of that for them. So really, they’re able to set it and forget it, without having any new accounts for them or for their users to manage.
Admins can track the progress of each user either in Slack or in our web-based admin dashboard, and they can onboard these additional SaaS applications, choosing whatever actions they want to track. Once they’ve integrated these apps, they can choose to have those actions trigger default responses from Haekka, or they can customize the responses themselves. They can get administrator notifications.
Haekka really runs in the background. It’s fully automated, and we take care of all the different aspects related to security awareness training, but specifically training related to any events of insecurity or risk-based events within all these applications. So, regardless of how the company grows, within five minutes, they can ensure that their training runs throughout the year and renews according to the renewal period they set with us.
We recently did a survey that found that 100% of admins and around 96% of users felt that using Haekka in Slack saves them time on security awareness training. That’s because it makes it super simple for admins to take care of their training requirements, within a programme that they’re already using, with IDs and accounts they already have.
What would your final piece of advice be to organizations struggling to implement effective, engaging security awareness training?
Whether you use Haekka or you choose to use somebody else, my advice would be to get started as soon as possible, and to engage with your users. This is something that we encourage all our customers to do: to get feedback on every piece of content and then continually improve and iterate on that on an ongoing basis.
You also need to choose a product that delivers this training on an ongoing basis, and certainly much more frequently than annually.
Annual training used to be the standard and is generally the “check the box” requirement for a lot of audits. But when companies only deliver training annually, it really speaks volumes about their security culture. You can talk about security being important, but when people just take some training at their onboarding and then on their employment anniversary each year, it suggests that security awareness training is something that isn’t important to the company. I think that’s a big thing that people sometimes miss within the security industry.
So, going beyond that is something that’s really important, not just to reduce the risk to your business, but to really promote security as an important part of your culture.
Thank you to Travis Good for taking part in this interview. You can find out more about the Haekka platform via their website.
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.