Can Security Awareness Training Change Behavior and Reduce Risk?

CIOs and CISOs realize that human error is perhaps the biggest weakness in any information security program -- but proper training may condition employees not to click or open anything that looks remotely suspicious.

by / October/November 2016
Lea Deesing, chief innovation officer, Riverside, Calif. David Kidd

In 2014, a Durham, N.H., police officer opened what she thought was a digital fax attached to an email about an investigation she was working on. Earlier this year, an employee at the Lansing Board of Water and Light in Michigan opened what seemed to be a legitimate email attachment. In both cases, the government employees were victims of a type of phishing attack known as ransomware, which encrypted the victims’ computer files and sent them a digital ransom note, demanding money to decrypt them. Both agencies were able to resolve the issue without paying any ransom, but not before dealing with a costly cleanup.

State and local governments continue to be victims of data breaches and cyberattacks, with unauthorized access to files and data as the most persistent problem, according to IBM’s 2016 Cyber Security

Intelligence Index. And the attacks are becoming more frequent. In 2015, government joined the ranks of four other industries — health care, manufacturing, financial services and transportation — as the most frequently attacked sector in the world, according to the report. 

Despite investments in intrusion detection software, firewalls and a host of other cybersecurity tools, attacks, breaches and extortions continue to plague states and localities. A chief reason why security fails is the human factor, say experts. “Over 95 percent of all incidents investigated recognize ‘human error’ as a contributing factor,” according to a 2014 analysis of cyberattacks from IBM’s worldwide security services operations. “The most commonly recorded forms of human error include system misconfiguration, poor patch management, use of default user names and passwords or easy-to-guess passwords, lost laptops or mobile devices, and disclosure of regulated information via use of an incorrect email address.”

Thanks to personal information available on the Internet and via social media, hackers and data thieves have become extremely sophisticated at sending what look like emails from colleagues or businesses with the goal of gaining victims’ trust and having them open an attachment or click on a link that installs malicious software on a government agency’s server. The technique is called social engineering, and over the past three years, most major cyberattacks on U.S. corporations have included it, according to The Washington Post.

CIOs and CISOs in both the public and private sectors realize that human error is perhaps the biggest weakness in any information security program. Not surprisingly, a fast-growing business has sprung up to deal with changing human behavior. Called security awareness training, the aim is to condition employees not to click or open anything that looks remotely suspicious.

Michael Roling, CISO of Missouri, reported that every tax season, the state’s email system sees a spike in W-2 phishing campaigns. “They go through the roof,” he said. Data thieves, hoping to gain a crucial bit of personal information that can be used to file fraudulent tax returns, try to trick employees into sharing information. “Sometimes the only thing that is suspicious might be a misspelled name,” said Roling.

Michael Roling, chief information security officer, Missouri. Photo by David Kidd.

Since 2009, Missouri has used awareness programs to train employees what to look for in a suspicious email, how to work with two-factor authentication or how to create strong passwords. The initial programs weren’t that effective, according to Roling, but recently the state switched to its latest training program, an online service from Security Mentor. Roling described it as more educational than past efforts, as well as interactive and consumable.

Security Mentor is one of a burgeoning number of firms that specialize in awareness training. It’s a business worth $1 billion a year and growing 13 percent annually, according to Gartner, the technology research firm. Other firms in the market include the SANS Institute, MediaPro, Wombat Security, Digital Defense and BeOne Development, to name just a few.

Missouri’s program is delivered online monthly and is taken by 40,000 end users in 14 state agencies. Each lesson lasts 10 to 15 minutes and covers a specific security issue. In addition to explaining about phishing, authentication and passwords, the program also teaches employees about physical security, data loss prevention, what’s acceptable to send over the state network and even how to keep data secure while traveling. “The program also includes games and puzzles to keep it interactive,” Roling said.

The awareness program costs the state $4.68 per user, per year, but it’s well worth the investment, according to Roling. “The effectiveness of employee awareness training is so high that it would be one of the last things to go if we had to cut,” he said. “Not only does it raise awareness, it keeps the security culture alive that we struggled to get going five years ago. Even cabinet-level officers have to take the training.”

Unlike security training, which focuses on teaching employees and testing their knowledge on a set of rules, awareness training focuses on changing human behavior and making security part of the workplace culture. “It’s all about changing behavior as it is about actual security training,” said Lea Deesing, chief innovation officer of Riverside, Calif. “Awareness is key because it’s the users who can put the integrity of our network at risk.”

Riverside used to perform awareness training as a classroom exercise, but this year the city began using an online program from the SANS Institute called Securing the Human. The training is now mandatory; if employees don’t take and complete the one- to two-hour course within the designated time frame, they are locked out of the city’s network. The training is modular and can be tailored to the type of data the employee works with, such as legal documents or Health Insurance Portability and Accountability Act forms, for example. Deesing described the training as interactive, and should an employee fail the short test at the end of the course, he or she must take it over again.

Exposed: The Stupid Things Workers Do

13%
let their colleagues use a device that can access their employer’s network; 9 percent allow their partners to access such a device.

20%
of employees share their work email password; 12 percent share passwords to other work applications. Nearly half of all employees are unaware of any company policy around password sharing.

One in five
employees do not have any security software on their mobile work devices, beyond what ships with the operating system.

Source: InformationWeek; research conducted by Arlington Research in 2016 on behalf of OneLogin

Another program is Managed Online Awareness Training from Awareity, which is used by Loudoun County, Va. Wendy Wickens, the county’s IT director, said all employees must take the training once a year; the session lasts 30 to 90 minutes and is also interactive, with videos, test questions and a review of the county’s security policies. The program costs $39,000.

Along with awareness training, the county has ratcheted up security by turning off employee access to personal email on the county’s network. “That has drastically reduced the instances of ransomware, which has become rampant,” said Wickens. However, the county offers public Wi-Fi (separate from the county network) to employees who have a personal device and want to access personal email when they’re not working. “Since we instituted that policy, we haven’t seen any instance of ransomware [on the county network], which is significant,” she said.

Not all state or local governments are investing in cloud-based awareness training programs from third parties. In Prince George’s County, Md., the 6,500 government employees receive their awareness education through a custom learning management solution that has been crafted by the county, according to CIO Vennard Wright. The training takes place annually and is both online and offline for certain workers who don’t have access to a computer.

Wright also has seen a big drop in employee-triggered malware attacks since the county made the awareness training mandatory, and bars employees from the county network who haven’t taken the training or failed to pass the course. “The first year we made it mandatory, there was a lot of pushback, but now the training is accepted,” he said.

Vennard+Wright%2C+CIO%2C+prince+George%E2%80%99s+County%2C+Md.+
Vennard Wright, CIO, prince George’s County, Md. Photo by David Kidd.

Not all security awareness programs are foolproof when it comes to changing behavior in the workplace. The programs can fail to perform as expected for a variety of reasons. Ira Winkler, president and co-founder of Secure Mentem, a consulting firm that focuses on security awareness, said problems can start with the basic objective. “There’s a difference between awareness and training, and most people are providing training, not awareness,” he said. “Training is putting a fixed body of knowledge on employees and testing them. Awareness is about changing behavior. But most people don’t know that. Showing employees a video is not going to work as far as changing behavior.”

Online awareness programs need to be part of a broader, more holistic approach toward security, according to Winkler. Making awareness ubiquitous requires a broad array of tactics, including pervasive messaging to workers through posters, newsletters, message boards, events and contests. “It’s up to CISOs to create a security culture, an environment where people do the right thing,” he said.

Awareness experts criticize the approach where security awareness training takes place once a year, with a short quiz at the end. “That’s compliance and checking a box, not true awareness,” said Winkler.

In Missouri, making security awareness part of the employee culture includes the use of gamification techniques to maintain interest. Roling said his department will also periodically test employees by sending out fake phishing attacks, usually tied to a theme around a current event. Employees who fail to identify the fake phishing email and click on the link will find themselves at a website that explains what has happened and what they should have been looking for.

Roling keeps track of which agency makes the lowest number of mistakes and which makes the highest. The rankings are posted, and agencies that struggle are encouraged to improve and increase their awareness ranking. It’s part of a broader set of metrics Roling keeps on how employees fare with awareness training, and it’s considered an effective way to measure what’s working and what isn’t.

By mixing gamification, a little competition and metrics with the overall awareness program, Roling said that state employees see the monthly exercises as less of a burden and understand that it is a regular component of work. “Awareness training is one of the most important components of our security posture,” he said. “All the security tools out there will never be as sharp as the human mind.”

It’s a point that more government CISOs agree with and has made them realize just how critical security awareness has become. In Riverside, security awareness has broadened into a larger education program for city workers, according to Deesing. “We are educating our people about how to handle different types of data and whether or not they should even be storing different types of data. We are also scanning our data to ensure there aren’t any human errors that could put the city at risk.”

Tod Newcombe Senior Editor

With more than 20 years of experience covering state and local government, Tod previously was the editor of Public CIO, e.Republic’s award-winning publication for information technology executives in the public sector. He is now a senior editor for Government Technology and a columnist at Governing magazine.