user education for security

Three Steps to Better User Education for Security

December 20, 2017 | By

Does this sound familiar? You’ve conducted user trainings for your employees, going over the basics of security and what to look for when it comes to phishing, ransomware, and other online threats. You’ve reviewed password security with them, explained how to secure their devices, and even given them examples of real-world attacks.

Then one day a phishing attack comes in via an email to your employees. Several of them open the email, which takes them to a realistic looking Office 365 site where they are asked to enter userid and password. Several of them click. BAM! The attackers are now in their email boxes and can pilfer anything there along with send emails as the victim to either your employees or your customers. Both mean bad news to you, but what went wrong?

User Education Works… When it’s Done Right

The above is a story that was told over on Spiceworks, but I’d be willing to bet it sounds pretty familiar to you if you work in IT. You’re conducting user training, so why isn’t it working?

The problem isn’t user education itself. I’m a big believer in user education. It really works.

But to have the biggest impact, you have to be realistic about user behaviors and tendencies. You have to be realistic about the fact that we’re all human, and for those of us who don’t do IT or security for a living, it’s easy to forget basic security hygiene.

One of the biggest things you can to do improve your user trainings and really get the information to sink in is to engage your users. Get them talking to you about the phishes they see. After something goes wrong, talk to them about what the attacker was trying to do them, then do something with that data. (Like block the malicious domains you see with Strongarm!)

Beyond this, here are three other tips to make your user education and training more effective.

  1. Start with Briefings to Your Executives

They need to understand the risks of an attack and apply it to their business units. HR is going to get hammered with W-2 fraud. AP is going to get lots of CEO Fraud emails. Sales and R&D will see phishing attacks to steal passwords. Bring these to their attention in a way they can understand — how it can impact their people. Once you get buy in from the top, they can become your advocates inside each business unit.

  1. Reinforce with Stories

Some of our customers like to get out of their office and tell stories in people’s offices or before meetings. One of our customers regularly sends stories of phishing attacks. His favorite way is via their company newsletter. It’s small and concise and meant to be a conversation starter.

  1. Keep an Open Door

Get people talking to you about phishes. This means you need to break down the fear and shame of being a victim. Openly talk about phishing attacks. Offer to take a look at emails for people before they click. Get them sending suspicious messages over to you. I guarantee it will get the conversation started and keep your organization safer.

User Education Matters

User education is one of the most effective things you can do to protect your organization against a wide range of security threats. It just needs to be done in an effective and efficient manner, and it has to be repeated over time so it doesn’t go stale.

Strongarm helps you achieve these goals in a number of ways, from offloading the analysis of user reported phishes to helping you highlight which parts of your company are getting attacked to protecting your users when they click. Try Strongarm free to see how we can help!