Breaking News

MapleSEC: Three Self Help Books That Can Help Awareness Trainers

MapleSEC: Three Self Help Books That Can Help Awareness Trainers

Cybersecurity awareness instructors can learn a lot from general self-help books, IT World Canada's MapleSec Online Summit was reported this week.

Erin Hutchison, product marketing manager for cybersecurity services at the Canadian Internet Registry Authority (CIRA) -- which oversees the .ca domain -- said it doesn't matter if the books aren't directly related to cybersecurity,

What matters, he argued, is that some of his lessons can help with awareness training.

Awareness training is still important. According to the recently released CIRA survey, majority of the respondents (93 per cent) said that their firm conducts cyber security awareness training, and 43 per cent said that it is mandatory for all their employees. However, only 46 per cent said that awareness training is done quarterly. Forty-one percent said it is done only once a year.

Meanwhile, Hutchison noted, another survey found that 56 percent of IT leaders believe employees misbehaved because they started working from home because of COVID-19.

So how are self-help book materials helpful? Hutchinson cited these three books:

Classic How to Win Friends and Influence People. Lesson: Employees can be motivated to complete training.

Talk in terms of other people's interests, Hutchison said. Trainers must put themselves in the users' place and understand their needs. It means lessons related to the specific tasks to be performed by the employees.

Also, managers should not criticize, condemn or complain about the mistakes of users. "Praise small improvements, and use encouragement," Hutchinson said. If a user falls for a phishing simulation, give him an opportunity to learn from the review. Let them see which red flags they missed. It helps to convert failure into learning moment.

He said some employees are happy with the prospect of awareness training. So she passed on these tips for starting a training program:

-Shared employee progress: If this is a company-wide training program, report at the end of the week how departments are doing (HR completed X percent of courses, marketing completed Y percent). Perhaps offer incentives such as a gift card to the department who completed the course first.

-Remind employees why the company mandates training - that everyone plays a part in reducing risk. "It's absolutely important," Hutchinson said.

- Make training fun. Firms can buy or create a gamification platform, which offers rewards in the form of points. It can promote friendly competition between users or departments.

Hutchison took this caution: When running spear-phishing tests, avoid sensitive topics such as sending test emails with attachments promising details of a corporate bonus. Employees falling for this will see it as an unfair move. While this type of phishing email is used by attackers, it is better to warn users to pay attention to such tactics, rather than let employers try to do it.

the power of habit. Lesson: Get in the habit of reporting incidents to IT.

The book says that habits work in a three-step loop—a cue, which triggers a routine, which leads to a reward. So, for example, an attacker wants the victim to view an email (queue), respond to an immediate request (routine), which leads to an action (open an attachment in the hope of a reward). The goal of training is to break the habit by educating the employee to notice a different sign -- spelling mistakes, errors in the sender's address -- and a new habit of reporting suspicious emails.

One way to reinforce this new habit is to persuade employees to stop before performing sensitive tasks such as reading emails. If they find something strange they should trust their instincts.

Hutchison also passed on these tips to help users report phishing attempts: If IT can, add a button to the corporate email client that sends suspicious mail to the IT team. And make sure IT acknowledges the effort by answering. Likewise, make sure there are ways to report other security-related incidents.

The Life Changing Magic of Tidying Up. Lesson: Clean up your home IT network and computers.

The book argues that redecorating your home can lead to dramatic lifestyle changes. A clean computer with more employees working from home will also improve cyber security.

So in addition to encouraging employees to stop sharing passwords with family members, they should also be encouraged to get rid of old and supported devices at home, make sure their Wi-Fi is password protected, And - like at work - ensure sensitive corporate documents are not left on a desk.

No comments