What have you found to be the absolute most effective way to deliver security awareness training? What actually seems to work best?

Awareness & TrainingRisk Management
1.5k viewscircle icon3 Comments
Sort by:
Senior Information Security Manager in Software3 years ago

While October was cybersecurity awareness month, the truth is that every month is cybersecurity awareness month.

And for awareness to be effective, it must be tailed to the specific organization.

There are a lot of off-the-shelf SasS awareness platforms.

But if you don’t find the right one that speaks to your specific risks and talks to your specific employees, they will just play it in the background to get the CPEs. And not get any of the messages. And if that happens, it is completely management's fault.
 

https://cybersec.banyansecurity.io/s/october-is-cybersecurity-awareness-month-part-4-recognize-and-report-phishing-5625

Director in Manufacturing3 years ago

On a 1-1 basis if I happen to walk by an unlocked screen with nobody around I open a new Mail Message, increase the FONT to the maximum, and write something.  If I know who the owner is (usually) I will write an appropriately embarrassing note.   e.g. I QUIT, I am leaving to join the "Real Circus"  

On a mass scale, we always tried to use real situations that we had experienced within the company like imposters directing lower employees to route money, or similar spear phishing attempts.

Lightbulb on2 circle icon1 Reply
no title3 years ago

Well written and I fully concur.<br><br>A gentle messing with an unlocked screen is fun and efficient, and if the company culture is good, others will follow the example :) <br><br>For the company-wide messaging we try to tell stories based on the real-world incidents and breaches. A good example was the recent Dropbox breach via CircleCI phish (GitGuardian wrote a great explanation https://blog.gitguardian.com/dropbox-breach-hack-github-circleci/); I told the story and used it to play a &#34;what if&#34; and encourage ppl to start adopting passkeys or dedicated MFA apps in favour of the TOTP. We achieved much more profound impact than if we &#34;just&#34; sent a note along the lines &#34;please consider FIDO2, it&#39;s more secure than TOTP&#34; – colleagues started to talk to each other about the topic, and that&#39;s almost as good as it can get :) (and yes our IT is following up and making sure people acted on the guidance...)<br>

Content you might like

What models are in place for risk partners based in Line 2? What are the jobs to be done? How do they operate? What does the structure/operating rythms look like?

Read More Comments

I'm building most on... share "why" in comments...

Public Cloud72%

Private Cloud27%

As organizations deploy LLMs and other AI systems, how do you recommend security teams address risks such as data leakage, prompt injection and adversarial manipulation? What frameworks or practices should be prioritized to make AI security programs resilient from day one?

A common challenge in our risk-tiering framework for suppliers is that even the lowest risk tier still requires processing.
Has anyone implemented a "not relevant" risk tier in their model?
This tier would apply to vendors posing genuinely negligible security risk.

What's a greater concern for returning to the office? Comment how you are prioritizing...

Human Factors (fears, mental health, physical spacing)85%

Technical / IT Factors (on-premise tools, pivoting back away from remote)14%