How to Train Employees in Information Security Related Issues Efficiently - SearchInform

How to Train Employees in Information Security Related Issues Efficiently

18.09.2023

Back to blog list

Sergio Luis Bertoni, Leading Analyst at SearchInform

 

Approximately 66% of information security incidents turn out to be unintended violations by employees. In 14% of all cases they become the “entry point” for external intruders. Specific software helps to cope with this issue; however, it is impossible to protect organization efficiently if employees are not competent in information security related issues. Quite often the task of organizing the educational courses is delegated to staff members. Nevertheless, they often do not understand how to deal with the task. So, what can be done to make trainings really useful?

The SearchInform experts annually train a few thousand people. Trainees include employees of state bodies and large corporations, operating in numerous business spheres. They work with clients’ and citizens’ personal data. These peoples’ awareness and vigilance brake intruders’ intentions. In this article, I will share my observations, based on the practical experience in the sphere of educational courses development.

What to teach users

Social engineering methods have been in the focus of attention last few years. Thus, information security officers have excessively focused on this issue. However, it should be noticed that methods, used for performing attacks are not limited with phishing and other social engineering techniques. So, what else do we have? Well, for instance, hack of weak passwords, usage of corporate passwords for private accounts protection, lack of implementation of two-factor authentication. What’s more, people tend to forget about their own responsibility for accidental or deliberate data exposure.

Below you can find the list of aspects, which I recommend to address during the training sessions:

  • Which social engineering techniques do fraudsters use – this list varies from manipulations via email to deepfakes usage
  • Information security rules when working remotely and when working on business trips – SSL, VPN, etc. Organizing of communication, holding meetings, data exchange when working remotely
  • Rules for password policy and two-factor authentication – it is important to explain trainees, which kinds of passwords are reliable; where is it allowed to keep the password, whether it is possible to remember passwords; why is it much easier to guess a user’s password than it seems to be
  • Digital hygiene – how to behave in social networks, how to use public services and other resources
  • Rules for work with corporate information – explain, what is trade secret; who owns corporate data; tell about responsibility for data exposure etc.

How to organize the education process

There is plenty of options how you can train employees in information security related issues. These methods include, but are not limited to: lectures, games, trainings. Thanks to new services and platforms, trainings may be conducted both offline and remotely. There are up-to-date platforms which enable users to develop their own courses absolutely free-of-charge. What’s more, some ready-made templates are also available.

Learning through games: make your own information security game; prepare the list of questions, referring to it; make an information security quest; use games by vendors.

Combat training: GoPhish.

Online education: Moodle and analogues, Google Forms.

Nevertheless, in real life, the most widely spread practice is a futile briefing. In case with such an abstract sphere as information security that is absolutely useless.

People tend to underestimate the significance of data protection and do not care that an incident will affect themselves as well. That is why no matter which education format you will choose, it has to be complemented with gamification and training elements.

Basing on my experience, I can say, that the following activities usually impress people most of all:

  • Demonstration of how a password can be cracked in just a few minutes
  • Obtaining data on employees, present in the auditorium in the real life mode. Existence of OSINT methods turns out to be a revelation for many users
  • Conduction of a phone call from a fake telephone number (Caller ID spoofing demonstration)
  • Quickly copying a human’s voice or face (deepfake demontration).

How to make the education process more efficient

Even in case training course is well-developed and all the crucial aspects of digital literacy are covered, but some shortcomings are not avoided, the education may go all for naught. Below you can find the list of most dangerous mistakes.

1. The basic principle of training process is not the understanding of the attacks’ principles, but rote learning instead.

One common mistake is that users are not trained to understand the principles of performing of a cyber attack. Instead, they are trained to detect some specific attributes of a cyber attack. For instance – if there is a green lock in the adress bar, everything is surely ok. Another misbelief is that in case the sender’s adress is correct, everything is fine. According to the Internet Crime Report 2021 by FBI, BEC/AEC attacks resulted in $2,395,953,296 losses. Thus, BEC attacks turn out to be one of the most efficient technique for conducting an attacks. It is important to notice, that BEC attacks are based on users’ trust. That is why it is so important to make sure that employees really understand, how attack is performed.

Fraudsters sophisticate their attacks quicker than information security officers update educational courses. That is why it is so important to understand the attacks’ mechanisms and motives behind them – then users will pay attention not only to some specific attributes of fraud, which may not be so obvious. Employees must understand that it is technically possible not only to make the sender's address look like the real one, but also to completely replace it.

That is why it is important, for instance, in case with the phishing websites, to train people to recognize fraud basing on a set of attributes:

  • Incorrect spelling of the website address
  • Suspicious content
  • Imitation of functionality
  • Payments may be conducted in online mode only
  • Lack of physical address.

2. Training sessions take place too often or too rarely

The optimal scenario may be to organize large-scale information security trainings (for instance, training sessions) at least once a year.

Ordinary trainings (for instance, imitations of phishing attacks, lectures on the topic of social engineering techniques, considering newest methods and topics) should be conducted more often – approximately once a quarter.

However, it is important to understand that more frequent trainings pose a negative effect. Let me explain on an example with passwords. If you ask users to change and remember passwords too often, they quite often will invent the new method which will ease this task. For instance, the patterns depicted above may be used.

The situation is quite similar in other cases. For instance, employees understand that information security officer will simulate phishing attack again. It is very difficult to write some kind of original script for the trainings, if they take place often. As a result, people tend to mechanically respond to threats and vigilance reduces.

3. No one is interested in the trainings results

What should one do with those employees, who do not want to follow the rules? This question is not within the competence of an information security officer, but I personally recommend the following – before proceeding to the education process planning, reach an agreement with the executives on methods of motivation for “diligent students”, as well as on sanctions for those who sabotage the training process and do not implement gathered knowledge in practice. After all, what is the point of studying well if nothing threatens for poor study?

4. Information security specialists do not adopt his/her strategy to the specific audience

Information security specialists are not professional tutors. However, it is not really crucial to be a professional and experienced teacher to train people in information security related issues. Education process of adults differs significantly from children’s one. Below you can find the list of the most important trainings’ principles:

  • Employees must take part in planning their education and assess its efficiency
  • The training should be based on real life practical experience
  • Adults want to learn those issues, which help them to deal with their job duties or personal aims
  • Education process for adults should be focused on problem solving, not on theoretical knowledge gaining itself.

It is easier to consider all these aspects if the instructor has a deep understanding of the audience. Such aspects, as experience and beliefs are among most crucial ones. Understanding of these aspects enables the expert to mention illustrative cases or lifehacks, easily understood by the trainees.

There is not much sense in organizing paper-based tests to find out which types of employees are present in an organization and what to expect from them. Our solution, ProfileCenter, does it automatically.

If it is impossible to reveal, which people are the group members, than some universal tools will help.

  • Rhetoric or the oratory skills in other words. This is a set of various applied skills required to convey the idea to the audience at the level of emotions and logic
  • Another useful skill – implementation of methods of attraction. In other words, how to create your image the way all employees understand clearly – if the information security specialist names some issue as a really important one, than this is for sure.

Conclusion

Education of all employees is not the panacea, however. Literacy in information security related issues does not guarantee that an employee will not open a malicious attachment accidentally. Understanding of responsibility is not a 100% guarantee against deliberate leak. Nevertheless, compliance with digital hygiene rules allows to reduce the amount of incidents. If you start from scratch, it is a good idea to examine ready-made courses.  However, it is important to develop them, fulfill programs with practical cases and lifehacks which audience can easily understand. But the most important is to build trust with the audience. If not, there is little chance that trainings will be successful.
 


Internal threat Human factor Risk management


Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyberincidents.