Blog: How Tos

Running a security awareness program

Tony Gee 24 Jul 2016

So you’ve finally managed to convince management of the need to perform security awareness training. What next?

I’ve been performing security awareness training for around 10 years, and doing it full time here at PTP for the last 3 and a half years. From the thousands of sessions I have run I’ve found the most important aspect is to make it relevant.

Now, everyone says that, but what does it really mean? What is relevant to you is different to what is relevant to someone in finance or HR or your boss etc.

Most awareness programs focus on highlighting what is demanded by policy, and is seen relevant to your boss as it helps to tick boxes come audit time, but is that actually effective at changing behaviours?

Some programs highlight real world examples, showing attacks that have happened to the organisation. Interestingly, whilst this is wise, it can mean that staff who wouldn’t typically be targets of those types of attacks might not see it as relevant to them and switch off. An example might be CEO fraud. Whilst hugely popular with attackers it really only targets a few staff members, typically in Finance. Is training for that going to help ALL staff?

In my experience you really need a combination of both policy-driven AND real-word training, but with the magic ingredient: making it personal. Making it personal is crucial if you want to engage staff (and you really do want to engage staff!) as this is the key to relevancy. Staff don’t see security at work as their problem, it’s yours. However, if tell them about security at home that is undeniably their problem. So, if I tell them how hackers can hack their social media profile or abuse their oversharing of personal data they are going to pay attention!

The other important element is to make it fun. You want your audience to enjoy themselves and not switch off. Try to look for examples that have an amusing element, and don’t be afraid to satirise yourself.

How to go about it?

In my experience the most successful awareness campaigns include some face to face events c60 minutes no more than 30 people a session, but then also offer some online material, posters, flyers, CBT style training, lunch area events and regular communications. The more professional you can make this the better. Gimmicks like security mascots will just lead to derision, avoid them entirely.

Consider talking to your marketing teams or seek external resource to generate and build interest in the events in the way TV shows and movies generate interest. Food is often a good motivator to get people to your sessions, lunchtime sessions with free, good, food will often see the session full. If you have audit commitments make the events mandatory, however, the ideal is to generate so much interest that people will want to come anyway.

The word ‘yes’

Branded gifts might be useful for encouraging attendees to come, but don’t underestimate simple things like the benefit of a drop-in centre for staff to come and seek advice for home PCs/social media, etc. problems. You could  have an amnesty where staff can hand in unapproved USB devices in exchange for approved ones, or they can tell you about cloud services or other shadow IT they have signed up to so you can approve them formally.

In these situations it’s important to focus on the word ‘Yes’.

No one will come to you if you behave like a dictator and start blanket banning things. Staff generally behave security-badly when they have a need that you’ve not provided a solution for. You need to be able to say “yes, we can do that, however, x tool will suit our risk model better” or “can you do x before you use that service” (e.g. encrypt before uploading to Dropbox).

It is important to not see security awareness events as one-offs. They need to be regular. You don’t need to do it constantly, just make it frequent and regular and keep the message flowing. I recommend sessions are at least monthly. Work out how staff actually digest information (not just how internal communications think they do), be that with email, instant message, intranet, etc, then use that to  communicate regularly.

You need to get management support and engagement. They need to lead and embrace security awareness and of course give the staff time to attend these events. There is a cost of course, but the benefit is that with enhanced training the business less likely to end up on the front pages of the news for a data breach.

Some key things to cover in face to face training and handouts include:

Current/recent attacks

  • Don’t be afraid to show attacks you have blocked or even successful attacks. This will carry considerable weight and help staff understand what attacks look like. It’s not a name and shame opportunity, just about highlighting the types of attacks you are seeing, so make sure you obscure all PII from examples.

Mobile phone settings

  • Be sensible, no point suggesting a 20 character complex password on phones without biometric authentication, but try to suggest 8 numbers up from 6, by adding the 19 or 20 to the year of the inevitable anniversary date. Where biometrics are available, embrace them – you users will be – think of them as a convenience to using stronger passwords
  • Differentiate between flavours of operating systems, suggest appropriate settings for each main flavour of OS
  • Think about Wi-Fi and Bluetooth promiscuity and possibly show how that can be abused.
  • Remember you might have an MDM for work phones, but few will have that on personal phones so suggest practical settings, like turning off features accessible from the lock screen, using adblockers, antivirus, keeping it up to date, checking permissions of app before installing, etc.
  • You can usually tie in what the controls are in place for your environment here.

Social media

  • Often a minefield in settings, by the time you write it, the setting may be out of date, plus with new services springing up all the time it can be hard to define per service. Provide general advice
    • Think about inadvertent oversharing (e.g. location/D.O.B.), especially on public profiles, try to show examples of poor controls
    • Think about content you deliberately share (e.g. photos)
    • Lock profiles down to contacts only
    • Limit profile visibility to search engines
    • Set good passwords (more on that later)
    • Be sensible with who you connect/become friends with
    • Use blocking tools
  • Consider showing staff how to block and mute people and how to report offenders to the relevant sites administrators
  • It’s important to spell out what your requirements are for work social media profiles or what some of the key controls from your social media policy are.

Home PC/Mac controls

  • The basics are usually well understood (e.g. AV, firewalls, etc), but still worth reiterating.
  • Most Mac users still think Macs don’t need AV, suggest free or commercial offerings.
  • Suggest setting different user profiles for shared computers
  • Implementing parental controls
  • getsafeonline.org are a fantastic resource here

Passwords

  • No one likes them, but they are necessary
  • NCSC make some excellent guidance
  • Consider showing how to set good passphrases
  • Explain why complexity is important
  • Recommend password managers (I would strongly suggest you encourage these internally for ALL staff)
  • Explain what your policy is
    • Be careful not to contradict yourself with your recommendation v’s what you actually do or at least be prepared for challenge.
  • Two-step verification is useful to talk about, and is recommended, but be careful not to alienate people, most users don’t know what it is, nor care what it is. Think of it as a journey, start with good passwords from a password manager that are different everywhere, then consider 2FA. That said, 2FA can help with sites where weaker passwords are required so can be beneficial. The key focus though should always be on making security easy otherwise no one will do it.

Other policies

  • Clear desk. Try to show how failings in this can be abused, use real world examples
  • Physical security. Explain the need for it and highlight where these have been exploited, personal stories will really help here.
  • Data security. This can get dull really quickly so consider focusing on key elements of what is needed and benefits to end users
  • Removable media, A chance to explain what staff can do and how to securely use removable devices.

Live demos

These can carry a lot of weight and are often simple to do. I have already written about setting up attachment based phishing attacks

  • You can do simple URL phishing with SEToolkit in Kali Linux to create clones of real sites, perhaps cloning Facebook or your own secure sites
  • A Wi-Fi Pineapple can be used to show what can happen with fake Wi-Fi access points or how passwords can be stolen with captive portals.
  • You can do simple password guessing in Kali Linux
  • Use Have I Been Pwned to check if users have been hacked

These aren’t exhaustive lists and each awareness program will be unique to the needs of the organisation and the people being trained, but whatever you do focus on the key element of making it personal. Good luck and let me know how you get on!

Tweet me @_tonygee_.