At our third annual Wombat Wisdom Conference last week in Pittsburgh, PA, attendees had the opportunity to hear from keynote speaker Lesley Marjoribanks, Security Awareness Manager at the Royal Bank of Scotland. She shared some valuable lessons learned in the planning and rollout of the security awareness training initiatives delivered to RBS end users. In the event that you were unable to join us, here are some of the pieces of advice she had to offer:
Don’t Rush In
Marjoribanks advised that administrators run pilots on their security awareness and training components before jumping into a full-fledged program. Scheduling a few smaller-scale phishing tests with select departments, for example, can help you familiarize yourself with your simulated attack tool and iron out any issues prior to testing all of the users in your organization.
Meet With Stakeholders
It’s important to bring various stakeholders into the conversation before beginning a program, Marjoribanks noted. Let them know what’s coming and when, she said, and be sure to check in with internal departments that might be impacted by cybersecurity assessments and training. For example, if you are sending out a simulated attack that mimics an internal IT message, you should alert the helpdesk that they could see a rise in calls during the test period. And human resources and legal departments should be consulted about any messages that could create issues from a labor law or regulatory standpoint.
Think Beyond the Immediate
Marjoribanks cautioned that program administrators consider both the scope of their programs and the threat landscape in planning their efforts. She noted the following:
- When approaching a global employee base, localize content whenever possible so that regional references (like currencies) resonate with regional audiences.
- Utilize seasonal content — such as deposit notices during peak vacation times and online offers during the holiday shopping season — to help teach end users about common phishing scams that are perpetrated on a seasonal basis.
- Think like attackers. Even though “vanilla” messages might be regularly impacting your organization, adding a little more flavor to your approach will help to keep users on their toes and raise awareness of more sophisticated attacks.
- Proactively identify potential paths for “false clicks” (such as emails forwarded to third-party security vendors or administrative assistants who might click messages in executive inboxes).
Find more advice for your security awareness training program.
Offer a Repository for Easy Guidance
It’s a great idea, Marjoribanks said, to create an easy, consistent reference for employees to find out information about your program. Though it’s important to communicate directly and regularly to users, a central repository — like an intraweb page — that employees can go to for answers to frequently asked questions can help take some of the pressure off of program administrators, IT helpdesks, and other internal resources.
Provide Advice for Email Best Practices
To help cut down on the number of emails that users might find to be suspicious (once they begin to be educated about potential traps), it’s a good idea to proactively provide internal departments, suppliers, business partners, and other trusted third parties with guidelines for email best practices. Marjoribanks indicated that RBS employees were flagging external messages with regularity — and rightfully so, she said, based on the way the emails were constructed.
Plan for an Ongoing Program
Marjoribanks is a proponent of our Continuous Training Methodology and offered the following key pieces of advice around this topic:
- Follow up on your phishing tests — planning and sending simulated attacks doesn’t do much for you if you don’t take the next steps.
- Keep going on training, even after click rates go down. Improvement is not the end. Users can always benefit from additional cybersecurity education and practice.
- Keep gathering and organizing your data.
- Strive to keep cybersecurity best practices top-of-mind for your employees all the time.