10 Best Practices For Effective Security Awareness Training

Wed, Oct, 04, 2017 @ 17:10 PM


These proven best practices for Security Awareness Training are designed to add a layer of security on top of existing firewalls. The goal is to establish an effective human firewall of informed, educated and phish-savvy employees. According to Lance Spitzer, Training Director at the SANS Institute, “One of the most effective ways you can minimize the phishing threat is through awareness and training. You create a network of human sensors that are more effective at detecting phishing than almost any technology.”

Find out what the true best practices are for security awareness training – those that establish a human firewall to effectively block hackers and criminals.

Best Practice #1: Comprehensive Programs Work

Most security awareness programs are superficial at best. They may include some sensible actions, but they don’t dovetail into a coordinated and comprehensive program. What is missing is an appreciation of the adversary being faced and the degree of commitment an organization must have to stave off attacks. It is vital that the C-suite comes to terms with the extent of the threat and the sheer weight of resources the enemy is bringing to bear against employees. Only by doing so is it possible for C-level executives to comprehend the measures that must be taken to secure the enterprise and the vital necessity of erecting a human firewall of informed and ever-vigilant users. The crux of this best practice is having an awareness of the scale of the problem and the resources necessary to defend against it. A qualified technology support provider will be able to guide you through this research process.


Best Practice #2: Develop a Coordinated Campaign that Combines Training and Phishing Simulation

Training on its own, typically once a year, isn’t enough. Simulated phishing of personnel on its own doesn’t work. But together, they can be combined to greatly increase effectiveness. An important best practice is to intelligently integrate these components into an overall campaign. This is best accomplished by finding a platform that integrates simulated phishing and security awareness training. One approach shared by a growing number of organizations is to outsource this task to their technology support provider. We here at Sagiss conduct end-user security awareness training for a number of our clients, allowing them to focus on running their businesses while we focus on keeping them secure. 


Best Practice #3: Baseline Phishing Susceptibility

Security awareness training can be undermined due to difficulty in measuring its impact. How exactly are you supposed to prove that it obtains results? All it takes is one fresh outbreak and someone in authority can point to the event as evidence that such training dollars would be better spent elsewhere.

This is where the baseline comes into play. It is vital to establish a baseline on phishing click-through rates so you know the percentage of users who open malicious emails prior to awareness training campaign commencement. This is easily accomplished. Send out a simulated phishing email to a random sample of personnel to find out the number that are tricked into opening an attachment, click on a link or enter sensitive information. This is your baseline phish-prone percentage. This metric can be later used to determine how effective the campaign is. Further, it provides specific numbers that can prove useful during the purchase order approval process.

Be wary of any prospective training vendor who is unable (or unwilling) to show demonstrable improvements with data.  


Best Practice #4: Gain Executive and IT Buy In

To be effective, top executives and IT managers must be on board. Thus extensive briefings before and during a training program is a must. Briefings are needed in advance to accomplish finance approval, but it should never end there. Prior to beginning a phishing simulation project, communicate to executives and iron out all political or sensitivity issues in advance.

This should include HR, Legal and union representatives where applicable. Otherwise, such campaigns may be unjustly accused of targeting specific employees, undermining morale or discriminating against certain groups. Only by keeping all interested parties involved, listening to their concerns and addressing their needs can the campaign hope to succeed. In some organizations, there may be pressure to inform employees that a simulated phishing campaign is about to be launched. In those cases, where staff are forewarned, the effectiveness of the campaign is significantly reduced.

Another aspect of this best practice is to inform executives about baseline phishing numbers so they are more aware of the extent of the problem and the uphill task facing the organization. Return to this baseline again and again as a means of monitoring results. 


Best Practice #5: Conduct Random-Random Phishing Attacks

Earlier, we mentioned prairie dogging where an employee notices a simulated phishing email and warns the others in the office about it. This phenomenon can even bring about an apparent drop in phishing susceptibility in tests that doesn’t translate into the real world. Employees get used to the simulated actions of the campaign, learn to watch out for them every Monday morning and thereafter continue as normal. What you end up with is a simulated phishing initiative that has little or no impact on employee gullibility.

This is particularly important when you consider the findings from a study by Proofpoint. It found that no company had a zero click rate from phishing attacks. While repeat clickers account for the majority of clicks on malicious links, 40% of clicks are typically one-off clickers. In other words, even the best and the brightest can be caught unawares and will click on something malicious from time to time. Prairie dogging might allow these rare but occasional phishing victims to develop complacency.

The way to guard against this is to use what are termed random-random simulated phishing attacks. This Security Awareness Training practice entails the selection of random groups, random schedules, and random phishing templates to gain a more accurate estimate of an organization’s likelihood to fall victim to phishing. Instead of sending out the same phishing emails every Monday morning to accounting, every Tuesday at lunch to sales and every Friday evening to manufacturing, switch the tactics and schedules around by varying the groups and schedules randomly. This eliminates prairie dogging and provides the organization with a real metric they can use to determine effectiveness.


Best Practice #6: Personalize Emails

Personalized emails are more believable. In some cases, this can be as simple as adding the employee’s first name. But in large organizations, personalization must be taken further. For example, obtain from payroll the names of the banks used by employees for direct deposit and use that bank name in a phishing campaign. Another tactic is to split phishing email into groups such as by departments, or to tie phishing emails into topical or popular events.

As we mentioned earlier, partnering with the right training provider can make all the difference at this stage. They can leverage lessons learned from previous engagements, which in turns means more targeted and consistent training for employees. 


Best Practice #7: Don't Expect Miracles

The results from Security Awareness Training are excellent. But they fall short of the miraculous. By that, we mean phishing victimization rates generally fall from the 10-25% range to about 2%. It appears that getting below that point is extremely difficult. But continuation of the campaign can keep results at or below that level, which will have a significant impact on the organization. With malware infections caused by phishing minimized, IT finds itself able to contain remaining outbreaks more effectively, as there are far fewer of them.

Due to the dramatic drop in infections, other security measures have a greater chance of success. IT finds itself moving from constant troubleshooting mode to being able to move forward with projects that provide greater strategic value to the organization.


Best Practice #8: Avoid Witch Hunts

A common concern about simulated phishing is that the results could be used in witch hunts. Therefore, don’t ever use results in this way or bring them up in annual reviews. It is best to keep results general and use them to correct and train the organization as a whole as opposed to singling out specific individuals.

The exception to this comes once the coordinated campaign of training and phishing simulation has brought about marked results. After a prolonged series of simulations and training steps, and once the numbers have bottomed out, companies are likely to find the same small group of repeat offenders. Proofpoint noted that less than 10% of users are responsible for almost all clicks on any given wave of malicious attacks. While Security Awareness Training can push that number down far lower, there will remain a handful of individuals who continue to click despite being given every opportunity to reform.

By this point, they will have attended several training classes, and received a thorough education on how phishing can fool them. Yet they go on being fooled no matter what remedial steps are taken. Now is the time to involve HR to take up findings with repeat offenders who show no improvement despite several attempts at retraining. To take any possible negative connotation away from "flunking" simulated phishing tests, it sometimes works to incentivize departments to encourage their staff to complete training or retraining in an effort to achieve a 0% click rate. Those doing so, or scoring below a particular level can be awarded with gift cards or other inducements.


Best Practice #9: Continue to Test Employees Regularly

Even when testing confirms that phishing susceptibility has fallen to nominal levels, continue to test employees frequently to determine if anti-phishing training remains effective. The bad guys are always changing the rules, adjusting their tactics and upgrading their technologies. Therefore, training reinforcement must remain a part of the organizational security arsenal in order to keep pace with constantly evolving threats. This rule applies regardless of the size or type of organization in question. When you consider that even high-level government intelligence entities are susceptible to spear-phishing attacks, it makes sense that your stated security measures ought to be tested on a regular basis to ensure they are working effectively. 


Best Practice #10: Provide Thorough Security Training

Old school security training favored a lecture or video approach. The problem with this type of training is that it can rapidly become outdated – the security landscape of one year ago is very different from that of today. It also focuses too much on theory and isn’t balanced by practical application. Security Awareness Training is interactive, balances theory and application, is continually updated, and is based upon thorough insight of how cyber criminals operate. Ideally, it will incorporate the services of an expert hacker who knows all the ways of entering an organization and all the tricks of the phishing trade. It should make sure employees understand the mechanisms of spam, phishing, spear-phishing, malware, ransomware and social engineering, and are able to apply this knowledge in their day-to-day jobs.



Organizations must seek out and adopt the latest methods available in order to keep one step ahead of ever more resourceful organized cybercrime. However, many of the budget dollars spent on such programs will be wasted unless this technology is supported by Security Awareness Training programs reinforced by frequent simulated, randomized phishing attacks. The consequences of failing to do so go well beyond bad headlines. The estimated financial loss from 700 million compromised financial records in 2015 was $400 million, according to Verizon.

Data breaches can result in rising legal costs, non-compliance penalties, loss of brand reputation, customer churn, and even a major hit on the bottom line. Are you interested to see what effect Security Awareness Training would have on your organization? Let us know, and we'll set up a time to discuss these programs with you. 

Further Reading:

Phishing Awareness Guide & FAQ

Why Cybercriminals Love Tax Season

Businesses Face Mounting Demand to Strengthen Cybersecurity

10 Cybersecurity Mistakes To Never Make Again

5 Questions To Ask When Looking for Small Business IT Support


Request an IT Network Assessment!