blog-logo.png

A BLOG ABOUT CYBER SECURITY

Wombat Security is a leader in security awareness and training. Our blog covers the latest cyber security news, insights, and best practices. We arm infosec professionals with the knowledge and tools they need to improve end-user behaviors and reduce organizational risk.

Security Awareness Training: ‘Petrified Users’ Shouldn’t Be Your Goal

Posted by Gretel Egan on 12/5/17

Topics: Security Awareness and Training, Phishing, Keys to Success, All Posts

Petrified-Users-Are-a-Security-Awareness-Training-Fail.jpgGiven what we do, it’s should come as no surprise that we like to keep our finger on the pulse of the security awareness training market. (You aren’t recognized as a Leader by Gartner for four years running by operating with blinders on, after all.)

We are particularly interested to know how end users are responding to training efforts in different organizations and different industries. Since we believe that users are key to cybersecurity postures — those who maketh the mistakes can also take them away, right? — it stands to reason that we also believe that organizations should consider how their end users might feel about (and react to) cybersecurity education efforts.

One comment we regularly see floating around infosec forums like Spiceworks is that an organization’s program has “petrified” its end users, making them afraid to interact with any emails they receive. Most of the infosec folks who make these types of comments seem pleased by this outcome and think they have succeeded — but we respectfully disagree. In fact, we feel frightened users are unproductive users. And here are three reasons why:

  1. Email is crucial to the flow of business – If your employees don’t know how to appropriately handle email, and their knee-jerk reaction is to think that every message is a phishing email that is too dangerous to deal with, your program is not only failing your users, it’s failing your business. Petrified users disrupt the flow of activity, and that is not a win on any level.
  2. You create more work for your IT response teams – Yes, you absolutely want to teach your users to report suspicious messages and reach out to your helpdesk or IT personnel with questions and concerns. But not for every message. If you condition your users to avoid interacting with any message that contains a link or attachment or request for information, you will inundate your response team on an hourly basis and needlessly delay responses to business-critical requests (see point 1).
  3. Your users are capable of so much more – Make no mistake: If you believe your users cannot learn, you automatically limit the expectations you have for your program. The reality is that workers in all industries, at all levels, and in all roles frequently learn new things and effectively apply them on a daily basis. The same is possible for cybersecurity best practices. Instead of taking a counterproductive, “IT vs. end users” mindset, try to put yourself in your users’ shoes and embrace the opportunity to change behavior and reduce risk.

color_bar.png

Hear what Wombat end users have to say about our approach to security awareness and training.

End-User Testimonials About Wombat Training

color_bar.png

It’s time to raise the expectations you have for your security awareness training program — and the intellect and capabilities of your end users. Yes, a healthy sense of paranoia does everyone good when it comes to cybersecurity. But you need to stop short of creating a pervasive paranoia that terrifies your users, petrifies your business, and overloads your IT staff. Instead, focus on empowering your employees with the knowledge they need to make informed decisions. There are true, measurable benefits to including your users in your prevention and protection efforts rather than treating them like problem children who should be seen and not heard.

icon-book.png

Try Our Interactive Security Awareness Training Modules

Our 25+ interactive training modules in topics like Email Security, URL Training, Mobile App Security, and more are proven to change the behavior of end users and reduce risk.

Try Our Modules

   Educate Yourself: Protect Against Security Vulnerabilities