Security Awareness Training Involvement – Introducing Scirge Personal Dashboard
Although the security industry has long proclaimed that user awareness is the cheapest and most effective tool for preventing incidents, business logic often seems to oppose this notion. Security technology manufacturers prefer to sell increasingly complex “platformed” systems, leveraging vendor lock-ins or Concorde effects, and cloud-based threat intelligence subscriptions. While the effectiveness of these solutions is not in question, their solid, measurable results are hard to ascertain.
Some of the blame must also fall on regulators who often provide very shallow descriptions about what the process and contents of training should look like. The recently updated NIST CSF 2.0 however provides some decent implementation examples that hint at how proper training could be done. Here are a few examples:
Train personnel to recognize social engineering attempts and other common attacks, report attacks and suspicious activity, comply with acceptable use policies, and perform basic cyber hygiene tasks (e.g., patching software, choosing passwords, protecting credentials)
Provide role-based cybersecurity awareness and training to all those in specialized roles, including contractors, partners, suppliers, and other third parties
Periodically assess or test users on their understanding of basic cybersecurity practices
What are some important takeaways? Most employees should be trained in the very basics of cyber hygiene. Phishing and weak or mishandled passwords are still top contributors in most breaches, and every single employee is capable of attaining basic skills such as creating a strong password or assessing a suspicious email, SMS, MFA alert, etc.
The role-based approach is another key aspect. High-level executives and people with more leverage and access within the organizations should take more personal responsibility, as they will always be prime targets for spear-phishing, BEC, and other forms of attacks. No training can be successful if the same message and depth are applied across an organization without considering individual skills, risks, and actual tasks that people touch during their regular work.
Assessment and evaluation of these skills is also very much advised, as nothing can be improved without measurement. We do disagree with testing though, as it will likely become a painful timekiller, and with the help of AI, or Google, they can be cheated quite easily anyway.
An approach that we recommend is to evaluate individual security practices based on what people do. What passwords they choose, whether they respond to MFA queries or phishing attempts etc. Some of these indicators are hard to manage, but with the right tooling, we should be able to assess and train our employees seamlessly within their regular workday.
Participation Over Education
The correct approach, in our view, rests on two pillars: firstly, involving employees in the entire lifecycle of security issues that affect them, and secondly, some exact measurement of their performance.
For instance, instead of general practices and complexity rules for password usage, if we remind everyone about the security of the accounts and passwords they create (or ask if they have enabled MFA on an external portal), there is a greater chance they will take action. This can also be relatively easily measured by the number of weak passwords identified.
Similarly, instead of teaching data management principles, if we ask employees about the personal data they handle in specific applications they frequently use, we can gather more valuable information about actual business processes. This may also prompt more thoughtful data management decisions next time, measurable by the alerts from DLP systems.
Personalized and role-based training presupposes that we have some information about what our employees generally do, what risks their activities might entail, and how to draw their attention to these risks. The moment we provide (or request) feedback based on this information, training transforms into two-way communication. Instead of assigning homework, we can ask them to engage in activities that incrementally improve the organization’s risk posture. Different solutions and technologies may be suitable for this, but correct cloud usage and password hygiene are certainly two foundational pillars worth building upon everywhere.
Scirge Personal Dashboard
Scirge’s personalized training platform can host a mini-portal with unique content focused on these two topics. For many companies, such a step can initiate the engagement of colleagues in security processes, helping security operators through active participation. We build inventories of individual risks and behaviors and customize messaging and required activities based on what uniquely affects any individual. Based on who they are, what they do, and what risks they face or create.
This dashboard can be utilized to host further content around security policies and open the door for communication between cyber security departments and employees. Once everyone has their private checklist and toolbox for improving cyber hygiene, the overall security posture of the organization can start to heal one small step at a time. Tags for password hygiene and application risks are concrete and measurable indicators of risks that can be calculated for individuals or the whole organization. With a tailor-made checklist for personal improvements, we can finally involve our colleagues and have them become part-time cybersecurity professionals as well. After all, no security department has ever been overstaffed, so why not make everyone chip in across the board?
About Scirge
Scirge provides a unique approach to unveil and gain control over unmanaged third-party web accounts. Scirge tracks the websites employees use corporate email addresses to register on and log in to. Having a central dashboard of discovered accounts helps to reduce the risk of credential-related threats such as password reuse or account takeover (ATO). Scirge gives a level of control over SaaS usage to overcome Shadow IT. It also helps to ensure that your company complies with GDPR, CCPA, and other audit requirements.