Stu Sjouwerman, CEO, KnowBe4
Testing users on a frequent basis to see who falls for a simulated phish should be part of any effective security awareness training program. Users won’t remember the bulk of their annual training and after time, old habits come back into play. Training users and frequently phishing them will keep them on their toes with security top of mind. It is fun to do for IT, helps users to determine if the email is expected, relevant and current with the additional benefit it also helps employees to stay safe on the internet at the house
The best defense is a good offense
Steve Martino, Vice President, Chief Information Security Officer, Security and Trust Organization, Cisco
Even those who should know better can get caught clicking on a malicious link or document that looks legitimate. A program that educates employees to recognize and report phishing emails. To test their phishing IQs, we send them phishing emails; if someone takes the “bait,” they receive in-the-moment training on how to avoid being tricked. We test them again within 30 days to reinforce. Since starting the program, we have reduced our click risk rate by over 60 percent.
Ditch the Conference Room Training; Treat Employees like Fighter Pilots
Aaron Higbee, Chief Technology Officer and Co-Founder at PhishMe.
Employees learn best from real-life interaction, similar to how fighter pilots train using extremely realistic simulation engines, so skip the lecture and mandatory videos and see how an employee responds to a simulated threat. If they fail a simulated attack, chances are they won’t want to make the same mistake next time. According to the Herman Miller Learning Pyramid, learning by doing yields a 75% knowledge retention rate, compared to 5% for those who rely on lectures. Experience is key!
Make it fun
Larry Hurtado, CEO, Digital Defence
As security training can be dry and boring, Digital Defense got creative and developed SecurED in collaboration with award winning Hollywood comedy writers. The combination of serious and important guidance with fun, engaging characters achieves the “stickiness factor” required to achieve real results.
Matthew Gardiner, cybersecurity strategist at Mimecast
An organization’s security posture is only as strong as its weakest link and its weakest link is most often its people. People can be tricked into giving attackers their credentials, clicking malicious links, opening malware laden attachments, or doing something they shouldn’t with the organization’s data or money. An entire company from the c-suite to the front desk needs to be educated and closely involved in promoting and protecting the security of the business. Given this, phishing training needs to be conducted both scheduled and ad hoc to keep the safety of the business front-and-center with their people.
I’m an Entrepreneur, Freelance Security Consultant, Bug Hunter having years of experience with a deep interest in InfoSec Industry. I love to speak and write about web and mobile application pen-testing, bug bounty. You can reach me at