When a user’s personal data leaks, it is also a threat to corporate security. It is important for IT admins to keep up to date and adopt new technology to protect users. Meanwhile, it is also crucial for users to learn how to better protect themselves in order to reduce overall security risk further.
Similar to other user training methodologies, there is a framework for user security training.
As illustrated on the left, Analyze user’s needs => Design => Develop => Deliver => Evaluate, are the ideal steps and sequence to effectively train your users.
How to transform the framework into a real world practice ? How to deliver the training might vary by companies, the essence of the training would remain the same, which includes
- Run Simulated phishing experiment to test and understand user’s security needs
- Conduct training to address the methods to identify phishing websites and spoofed email senders and present with detailed action plans
- Ensure all users to conduct Myaccount.google.com checkup
It is important to understand user’s security needs before designing security training content. We also strongly recommend to run a simulated phishing experiment. These are the questions we must force ourselves to ask: How do users behave when they receive a phishing email in which they are asked to click a link or read an “IMPORTANT” attachment. What percentage of those users get suspicious and report their concern to the IT administrator, if at all? What percentage of users go ahead and gleefully click the link or download the attachment. Often the results are shocking, but this is a necessary first step in developing a comprehensive program.
Cyber-security training content is created based on this simulated test result. After analyzing user behavior, it is also important to identify methods for users to identify phishing websites and spoofed email senders, and to give a concrete and detailed action plan for each situation.
To give an example, when a user receives an email with the sender’s profile displayed as illustrated question mark “?”, will a user proceed as usual, or will the user contact IT Admin for further actions? What to do? Is there any reporting or escalation mechanism in place, from both an organizational and technical aspect? HINT: If a question mark appears in the profile information of a mail sender (on web or Android), this means you are receiving a message that can’t be authenticated with either Sender Policy Framework (SPF) or DKIM, you’ll see a question mark in place of the sender’s profile photo, corporate logo, or avatar. Please see here for more. This is a good hint for Google Apps users to look out for!
The users don’t have to understand all the technical details, but they need to understand what action to take when they encounter specific situations and who to ask for help.
Moreover, to what degree users can protect their data is also an important aspect to consider for training. For example, IT admins should consider: (1) Do users reuse the same passwords that they use for Facebook,Twitter and other Google account or any other accounts? (2) Do the users apply 2-Step authentication to their own account such as facebook or Linkedin to prevent their data from being stolen? (3) Do users view company emails via their personal mobile without installing any mobile policy? Indeed, best practices apply to corporate security policies!
As technology evolves, hacking technology evolves with it. After designing, developing and delivering user training, you might want to evaluate and review on regular bases (eg. half year review) and update the training contents regularly with adoption of Google’s latest technology.
Finally, users are always easier to target for a security breach. Suppose there is a suspicious log-in to a certain user account, the earlier we can detect the suspicion, the smaller the cost to a corporation. User’s detection of suspicious activities are always sufficient. Google recommends that users checkup myaccount.google.com as illustrated below to detect and report any suspicious activities.
To summarize, in order to build and deliver an efficient security user training program, we recommend IT Admins start with a simulated phishing experiment to understand user needs and behavior. Next, it’s always important to train the users how to identify phishing and spoofed email senders. And finally, concrete actions that a user needs to take, after identifying suspicious phishing attempts, is a critical last step to the equation. And this is how we beat the bad guys! Also, to detect suspicous behavior earlier, we recommend our IT admins to encourage their users to check myaccount.google.com on a regular basis.
I hope you find this blogpost helpful. Please feel free to leave your comments or questions below!