I have built my whole business around the importance of good security awareness training. Hence, I want to share with you what exactly it is, and the goals around having a good security awareness program.
Watch the full episode below or listen on Apple/Spotify Podcasts. (Check out more episodes on our Gone Phishing page!)
Listen on Apple Podcasts Here
Full Episode 003 Transcript:
00:00:00:12 - 00:00:30:04
Connor Swalm
Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Sloan, CEO, food security, and welcome to Gone Phishing. I'm Connor and welcome to the show.
00:00:30:05 - 00:00:53:09
Connor Swalm
Today we're talking about my favorite topic, something I've actually dedicated like four years of my life to as of now and many more to come. It is security awareness training. It's actually what I've built my entire business on and most of my life as of now. And it's very important. I enjoy it. I think it's pretty cool. And we're going to talk about it today.
00:00:53:20 - 00:01:15:12
Connor Swalm
So first thing, let's let's start with a question. What is security awareness training? And I would like to approach this by giving you my definition that I have personally. And then I want to read through some of the answers that you will find on the Internet so that anyone here who's listening who might disagree with me, I understand what you're saying.
00:01:15:12 - 00:01:57:18
Connor Swalm
I understand the definitions that I find if you Google it real quick, but I just have a slightly personal definition. So I define security where in a screening as a program filled with training and assessments that teaches people to recognize social engineering and other cybersecurity threats they might face during the course of their job or their employment. So simply put, it is a program that should be put in place to arm an employee with all the information and all of the ability that they need to recognize risk so that it doesn't turn into a breach or doesn't turn into something worse, like the theft of money or information or access.
00:01:58:15 - 00:02:19:23
Connor Swalm
So that is my definition. But if you Google this or if you're on big or brief, whatever browser you'd like to use, I don't know, use your own. You'll get something along the lines of it is a strategy used by security professionals to prevent and mitigate user risk. It is a process for educating employees and third party stakeholders in a company.
00:02:20:09 - 00:02:47:09
Connor Swalm
It is a corporate wide initiative to help employees identifying avoid cyber threats. You'll get everything along those lines. Basically, it is education that helps people reduce the risk to an organization that a breach is going to occur because of behaviors they do or do not have. It's as simple as that. So what are the goals of this organization, of this kind of training, of an awareness training program?
00:02:48:02 - 00:03:22:11
Connor Swalm
I will talk about the ten ton gorilla in the space, actually. Right now. And it is most companies use security awareness training programs to check boxes to simple as that. Most companies and I'll repeat that most companies use security awareness training to check compliance boxes. That's it. There's a certain amount of training. There's a certain amount of social engineering simulation that a company has to do to abide by their cyber insurance policy or CMC.
00:03:23:01 - 00:03:49:08
Connor Swalm
It doesn't keep changing or they say 871 or 853 or ISO 27,001, whatever it is. There's a certain amount of training with certain topics that are sometimes designated that you need to do to be compliant. So that's the first that is usually the number one goal of a program is to make sure we're compliant. We're not going to lose our insurance, we're not going to lose our government contractor accreditation or however they'd like to word that.
00:03:49:23 - 00:04:17:18
Connor Swalm
So that's the first. What are what do I think the goals of training should be? Well, we talked about this a lot in the last episode. But simply put, I think there is a certain amount of threat that a certain amount of vulnerability, a certain amount of risk that people are exposed to, that they need training, that they need simulation, that they need help recognizing and understanding in order to properly prevent it.
00:04:18:11 - 00:04:44:08
Connor Swalm
So I always thought about security awareness training back when I was, you know, founding Finn as kind of like a scrimmage. It's it's not a real game. It's often very friendly. Stop it. A lot of times to teach people proper behavior. If you're thinking about a baseball analogy, exactly what I went to. There's the games, there's batting cages and practices, but then there's a scrimmage.
00:04:45:18 - 00:05:06:02
Connor Swalm
So I've always thought about security one as training, as kind of like a scrimmage. It's we are teaching people what it's like to play in the game. And the game is just them working their jobs and the normal life that they should be leading and living while they're doing that. So a scrimmage is an opportunity to identify some of the information gaps.
00:05:06:20 - 00:05:24:23
Connor Swalm
People don't know when they need to cover bases or people don't know and say, I didn't play baseball much, grown up. So if I screw this up, I apologize. But people don't know what they need to know. That's the first thing. The second thing is, how do people actually perform balls hit? Did the person catch it? It's really simple.
00:05:25:09 - 00:05:50:03
Connor Swalm
So that's how I've always viewed awareness training is it's to simulate reality. It's to get to a point where we can identify where a person has gaps and then we can provide them the training, batting cages and practice to help them cover those gaps and to get a little better. And the act of doing that reduces and reduces the risk that a company is exposed to by an incredible amount.
00:05:50:23 - 00:06:24:10
Connor Swalm
So the second overarching goal should be to reduce the risk that a breach occurs because somebody doesn't know or somebody is incapable of behaving in a secure way while they're doing their job. And keep in mind, you should never, ever, ever, ever blame the employee for a mistake that they make like that. There are several companies that I have met with recently that still tie a certain amount of employees comp compensation to their performance in phishing campaigns.
00:06:25:20 - 00:06:49:07
Connor Swalm
And I'll give you one example as to why that's not acceptable. In my mind, it's a lot of phishing simulations end up getting caught in spam filters or screwed up through safe link rewriting in Microsoft or your secure email gateway detonates the link and sandboxes any attachments, and as a result, that person clicks, quoting again clicks on that email, even though it wasn't them and it never got to their inbox.
00:06:50:08 - 00:07:18:22
Connor Swalm
And then they feel like they are at risk of not getting their full compensation. And that just creates so much insecurity, like from an individual level. It creates so much distrust with the cybersecurity folks at your company, creates so much pain that I have witnessed with my own eyes. After watching hundreds and hundreds of programs over the past four years, that is just not worth it.
00:07:19:10 - 00:07:44:09
Connor Swalm
So the goal should be to arm these employees with the capability of recognizing it. But when we when they mess up, we're all human and it will be you the next week. If it's not you now, we shouldn't punish them. So it should be to support the employees. That's the third goal. Support employees. So how are human vulnerability management and security awareness training connected?
00:07:44:22 - 00:08:16:09
Connor Swalm
So when I was launching Phin Security Awareness training is what exists today. It's what's existed for the last 25 years. It's 25 years. And security, where it is training, has all the goals that I just got done mentioning. But human vulnerability management goes one step further and that one step further is accurately mimicking real world attacks like not just creating programs, setting them up, and then letting them run and measuring their results.
00:08:16:09 - 00:08:43:00
Connor Swalm
It's actually creating a program that adjusts itself with what we're seeing in the wild. And then the second piece is adjust itself based upon the responses we get from the employees and that those responses from employees. There are two specific responses that at least we're aware of that we're measuring that we deem is really effective. The first is, did the content we put in front of those users actually, did they actually engage with it?
00:08:43:18 - 00:09:04:15
Connor Swalm
I went when I when I started seeing and I talked to as many employees who had to take the training and had to engage in the programs that we were creating as possible. And a lot of them had a historical experience with awareness training that was very similar. Oh yeah, I get those videos every month. I mutum I moved into my second monitor.
00:09:04:15 - 00:09:19:04
Connor Swalm
I go play with my dog, my kids, my cat and say hi to my spouse, whatever it is. And then I come back and I answer the questions and guess what? It's the same stuff that I did for the past six years of my life. So I get it. All right. That person didn't get any additional help out of that content.
00:09:20:00 - 00:09:58:16
Connor Swalm
And you as the provider is the company you paid for that. So there's a mismatch. There's a misalignment here. So we like to measure how people actually interact with it. And then the second piece of response that we're measuring is on the actual social engineering side. So when we attempt to socially engineer people, whether that's through emails or business email compromise or simulated spear phishing or SMS phishing or voicemail phishing, whatever is in the program that is built in and launched for our partners and our clients, we actually look at what's what kind of behavior the user is exhibiting when they get phish.
00:09:58:17 - 00:10:21:20
Connor Swalm
So was it because it was a text message? Was it because the directed action was to just click links? Was it because it simulated business email compromise? And this person over here in that organization, we knew that they worked together, whatever the vulnerability was or the set of vulnerabilities, was it because the content was brand had brand impersonation or was it because we simulated domain impersonation?
00:10:22:02 - 00:10:44:03
Connor Swalm
We actually got a type of spot, a domain that attempts deficient with it. We dove into what do we believe at fin is the reason this individual actually got phish and actually create like created a social engineering event of sorts. So that is how their connect is. I don't view it as tearing down the old and bringing in the new.
00:10:44:11 - 00:11:14:11
Connor Swalm
I just view it as one more step in the right direction. Evolving the industry so that we can get to a point where humans aren't. I would love to get to a point where humans, according to Verizon's Data Breach Investigation report, are not the reason that most breaches occur, which is what not only Verizon, as I guess trying to say in their report, but also I've heard from several other reports and several other security practitioners, which on the one hand I get.
00:11:14:21 - 00:11:35:01
Connor Swalm
On the other hand, I don't agree with 100%. So what is the difference between good and bad security when a string a lot of people that are listening to this podcast, a lot of you probably measure the success of your program by the default phishing rate. We had 6% of people last year or last quarter or last month.
00:11:35:01 - 00:11:55:19
Connor Swalm
Click. I actually have an entire blog on this as to how people misinterpret the data that they're receiving in their security awareness programs and why it doesn't create the reality that they would like to believe it does. So I can't dove into all that right now, but basically the difference between the good and the bad of programs is actually effectively measuring progress.
00:11:56:07 - 00:12:13:02
Connor Swalm
And I'll give you a hint, it is way more than just phishing rates. It has a lot to do with how people feel supported, almost like an empty score of sorts. So did your security awareness program get an MBA score last quarter? What was that? Or are we going up or are we going down? It's measuring the results properly.
00:12:14:01 - 00:12:37:16
Connor Swalm
So again, to stress, the difference between good and bad programs is you need to make sure you're getting the right data. Why are people falling for social engineering? Why are people not engaging with the training? And sometimes it boils down to if you deliver an hour of content to an individual once a year or once a quarter. Listen, I studied math in college.
00:12:38:18 - 00:13:01:08
Connor Swalm
Nobody wanted to listen to me explain about all of the cool math stuff that I was really excited about personally. And I see the exact same thing and I've seen it time and time again. I've seen the exact same thing happen in security awareness. Training is employees. At the end of the day, they want to show up to their job, do great work, and be safe while they do it.
00:13:02:03 - 00:13:33:10
Connor Swalm
Anything above that point, anything were beating them over the head with in terms of training and complicated analogies or complicated subject matter, they they just don't interface with it because they don't want to. So there's a lot more to unpack around awareness training and human vulnerability management. So next time on Gone phishing, we're going to dove into why security awareness really matters and why you should care about.
00:13:34:19 - 00:13:56:10
Connor Swalm
Thanks so much for tuning in to on phishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits. Then check us out. Phin security at phinsec dot io. It's in sector that io or click all of the wonderful links in our show notes.
00:13:56:20 - 00:14:01:01
Connor Swalm
Thanks for visiting with me today and we'll see you next time.
