6 min Security

What does effective security awareness training look like?

What does effective security awareness training look like?

Hackers can find an entry point into your company’s digital spaces through your employees. A popular technique among hackers to get in is phishing, where an employee is tricked into sharing personal data or installing malware. For IT professionals, the attack may be familiar, but what about management or HR personnel, for example? They can improve their digital skills in security awareness training.

Phishing is a straightforward tool for hackers to spread ransomware or malware within a company. With Phishing-as-a-Service (PaaS), any hacker can buy a ready-made phishing tool to spread a phishing campaign effortlessly.

A lot of phishing campaigns target employee email accounts. This is because companies own more money than individuals, making them an attractive target. Through phishing, hackers can obtain login credentials to essential business applications and obtain trade secrets or install malware. Often, cybercriminals demand money to get back out of the corporate network or to keep trade secrets from being made public.

The only hurdle for hackers is often the detection tools that automatically pick out emails with suspicious links. But in that area, hackers are also proving increasingly clever. Lately, phishing campaigns that exploit legitimate links have become enormously popular. This is because an email manages to bypass most security solutions by linking a malicious link to a legitimate one, and as a result, the message still ends up with the recipient.

Relying on detection tools as the sole means of protection is, therefore, a bad idea. This is why it is wise to invest in cybersecurity awareness training. Workers, in general, appear to have become less resilient to phishing emails. Without training, a third of Europeans fall for technology. Training drops the percentages but can never bring it to zero.

Tip: This is what a global phishing campaign looks like

‘Skip class is not acceptable in security land’

In security awareness training, employees learn, among other things, what phishing is and which elements point out an email is malicious. KnowBe4 does this in an activating way so that employees are not only presented with ‘hard’ theory from which they learn nothing at the end of the day. This also reduces the chances of employees not showing up for training. “Skip class is impossible in security land. Clicking on just one link can be fatal,” we hear from Jelle Wieringa, Security Advocate at KnowBe4.

Therefore, the platform’s learning material is available in various forms. Users can thus search for learning materials that match their own learning abilities because some like to read while others are just better at learning from a video. “We even respond to different media and have our own TV series, for example. Due to its great success, we have now reached the fifth season,” Wieringa says. But not every employee will convince the whole family to leave Netflix aside for the series. That’s why the training material is also available on laptops and smartphones.

De inside man tv-serie.

KnowBe4 also turned the training into the TV series The Inside Man. Source: KnowBe4

In addition to the learning format, the individual level of each employee is taken into account. “Someone who just starts in a company will always start at the beginning. The employees are first presented with a basic three-quarter-hour training, and once that has been completed, the training is individualized. This depends, for example, on this person’s position, as we make sure that the training of a developer, for example, also addresses security aspects that are important within this profession. Those individual needs are further determined based on AI,” Wieringa said.

Simulated phishing attacks

Unlike training, it is not possible to complete security awareness training. Hackers always invent other methods to get phishing attacks into the mailbox. In June, for example, training was supplemented with information about phishing attacks via QR codes. Now that these codes are used more often for ordering at a pub, for example, and employees are familiar with them, hackers are also spreading them in e-mails.

So graduation is not possible, but tests do come into play. Wieringa explains exactly how that works: “Exams, or simulated phishing attacks as they are called with us, are also tailored to the individual user with us. We create the emails randomly with different templates and distribute them at different times, all to prevent the first employee who receives it from already informing the rest of the organization about the test.” So KnowBe4 not only tackles truants but also makes cheating impossible.

In sending out the phishing simulation, AI technology is once again making itself useful. “We have data that gives us insight into when a user answers their emails, for example. AI and machine learning use that data to optimize the attack for the learning outcome.”

How trainees score on these simulations users also get to know. “We think the most important part of our platform is the part where users can see for themselves what they are learning and how they are doing.”

The admin side

Now that we’ve covered the user side of the admin portal, we come to the capabilities for administrators. They can completely transform the portal to suit the needs of the company they work for. “The admin section can further be used to create the training. The administrator determines the appropriate content for each training and chooses the videos and games to which employees will have access,” adds Wieringa.

Five minutes per month

KnowBe4’s platform is comprehensive and optimized to get the best results from security awareness training, and does not ask a lot of time from employees either. “We recommend that an employee trains for another five to 10 minutes per month. The most important thing is not the duration of the training, but rather that the training is done consistently.”

So, cyber awareness training appears to be a small effort to improve your company’s digital security. For that, though, it is important that employees also learn from the training and are activated to put theory into practice, but KnowBe4 seems to have sufficient resources for that.