Beyond Compliance: Security Awareness Training that Protects Every Organization

By Mark Sangster / Adlumin, Inc.
June 16, 2022

Even the most sophisticated cyberattacks begin with rudimentary tools and tactics including phishing emails designed to gather intelligence about the target organizations or hijack credentials used later in the attack.

People are overworked, distracted, and emotional. They are often easier to manipulate or tick into completing objectives set by cybercriminals. To counter this threat, companies employ some form of phishing testing and security awareness training (SAT) as a mainstay of their security framework.

Yet all too often, the inertia is provided by compliance drivers designed to check boxes rather than reduce risk. Companies and organizations in highly regulated industries (e.g., healthcare and finance) or those that have many professionals licensed by a governing body (doctors, accountants, lawyers, and engineers) are more likely to have a formal training program as part of their continuing education requirements.

Their experience with dry presentations and attestations leaves employees viewing annual training as a necessary evil. They focus on completing the course with as little effort, rather than learning and applying their knowledge. Test scores and attendee lists don’t stop cyberattacks. But informed and empowered employees to do.

And that’s the difference. Security training and testing are about behavioral change that leads to desirable organizational outcomes. Compliance and security are related but not synonymous. And not all security training and testing programs are created equal. Building and deploying effective programs is more involved than simply putting together a presentation, taking attendance, and deploying a phishing testing tool.

Perhaps the biggest impediment to effective programs that fail to deliver the desired results stems from an underlying assumption that users are irresponsible or inept. This fundamentally flawed premise shapes ‘training’ that is little more than Wikipedia-style definitions, memes and jokes, and generic examples that are easy to spot. All that such training achieves is reiterating the stereotype that victims are at fault. There’s an acronym for this: “PEBCAK: Problem Exists Between the Chair and the Keyboard”.

When we scapegoat the employee, we lose the opportunity to empower them as an early line of defense. Your employees are not inept, they are your greatest asset once armed with the skills to recognize cyber tactics, techniques, and procedures, and the ability to report suspicious activity.

Criminals use tailored phishing lures that combine public information with previously stolen data on the Dark Web to create convincing lures. It’s critical that your program leverages realistic threat scenarios that foster context-relevant (e.g., tailored to your industry and risks) security awareness, rather than using commoditized and easy-to-spot templates that are increasingly relics of the past.

The Adlumin Proactive Defense Program leverages KnowBe4 testing and training technology to deliver:

  • User-specific training to drive security awareness and behavioral change, deconstructing/dissecting what cyber threat actors do—with relevant examples
  • Scenario testing that measures user resiliency and their ability to identify and avoid the latest phishing tactics and campaigns
  • Streamlined mechanism to report suspicious activity and work with security teams to communicate the threat across the organization
  • Mechanisms to measure improvement, including high-risk users and groups, and reduces the risk associated with their privileges and access
  • Reduced resource constraints by alleviating the burden on cybersecurity teams to deliver training and manage security operations
  • Real-time regulatory compliance, helping you and your employees comply with state, industry, and professional regulations and obligations

Like most aspects of cybersecurity, security awareness training and testing are more complicated than it looks. It’s not about checking boxes; it’s about mitigating risk. You don’t have to go it alone, Adlumin’s Proactive Defense Program provides context-rich testing and training while streamlining security operations costs and complexity.