Why Every Organization Needs an Annual Security Awareness Training Program

April 13, 2016

In today’s Whiteboard Wednesday, Todd Lefkowitz, VP of Global Services at Rapid7, will discuss the importance of annual security awareness training programs.

Every year, the Verizon DBIR shows us the top threat vectors used in breaches and we continue to see that the most popular attack vectors exploit users through tactics like compromised credentials and phishing. While security teams are focused on locking down networks from attacks, users are easily exploited, allowing attackers to bypass the security controls implemented by your organization.

In this quick video Todd will make the case for adding security awareness training programs into your current security program.

Watch this week’s Whiteboard Wednesday to learn more.

Video Transcript

Hi there. This is Whiteboard Wednesday with Rapid7. My name is Todd Lefkowitz, I'm the Vice President of Global Services. So, today we're going to talk about the importance of a continued annual security awareness program for your organization. When we look at compromised credentials, they continue to be one of the leading areas of compromise in the industry. And so it's more important now than ever that companies have a good solid strong foundational security awareness program that they can run throughout their corporation. So when we look at some of the key areas that we want to focus on, employee turnover averaging at between, I'd say, 20 to 25% is very important to consider when you run your security awareness program, because don't assume that the individuals you have today are going to be the same individuals that you have tomorrow.

Show more Show less

So one thing that we've seen be very successful is to have a security awareness program that's actually ran as a thematic campaign. Meaning that security awareness will be ran successively month after month or quarter after quarter potentially with overlapping themes or brand new themes, not only to keep people engaged, but to also make sure that it's either a refresher for those that have been with the company for a while, or in the case of employee turnover, that we're making sure we're doing our due diligence training new employees on best practice as it pertains to security awareness. So we spoke to the element of employee turnover and the fact that on average we should expect employees to come and go.

We also want to make sure that we're keeping security awareness top of mind, and the importance of the chain of custody with respect to data and employees' responsibility for that data fresh. And in doing so, we not only recommend doing something every year, but also making sure that it's top of mind or kept front of mind, and that's tying back to the thematic approach that we mentioned a minute ago. Now, we also have an ever-changing security landscape. Personally, I like to consider it sort of a co-evolutionary arms race between the attackers and the folks that are trying to maintain security best practice and keep things secure. And to that end, we always make sure to keep your content fresh.

Generally, either if it's homegrown or you're using a vendor, you want to make sure that there's a process for updates and upgrades to make sure that you are getting the most relevant data as it pertains to not only the attack vectors that exist in the marketplace, but ongoing trends that are being seen in the industry, and it could be to your particular vertical or just the industry in general, which is why it's important that you look for vendors or potential solutions that cover a myriad of different topics and topical focus areas to ensure that everything is covered, whether it's, again, your particular industry vertical, your particular market, the particular size company, your addressable customer audience, and so on and so forth.

And just as important, you want to make sure that you're testing for the efficacy of your program. So you want to make sure that your program is working. One thing that we have seen work pretty well is simulated phishing attacks post-training. So we want to really test to make sure that employees are actually adopting the knowledge that they learn through this ongoing training. And we've seen that generally speaking, it takes three training events before a student really picks up the knowledge, after which about 50% have a really solid takeaway based on the security awareness training. And simulated phishing in the context of security awareness training particularly user credentials is a great way to ensure that that knowledge is adopted and that your security program works. That's all we have today for Whiteboard Wednesday. Check us out at rapid7.com. We actually have security awareness programs that could work well for your organization. Thank you.