Ntiva Live: Cybersecurity for the Rest of Us

Security Awareness, Training, and Education

Episode Overview: Security Awareness

Join Dr. Jerry Craig for an in-depth look at cybersecurity awareness, including details on how to train and education your staff.

Sign Up Today

Complete the form to register for the "Cybersecurity for the Rest of Us" series. You’ll get an email reminder before each livestream, plus an email with a link to the recording in case you miss any of the live events.

The Role of Security Awareness, Training, and Education:
Episode Transcript

All right. Good morning and welcome to this week's webinar on the role of security awareness, training and education. Get to the full screen mode here. Just a quick piece of administrative business here. I am going to be out of office on the day that you're actually seeing this, so I've pre-record this portion of the webinar. I will have a colleague online in the room with you guys, the virtual room. So, as you're going through here, if you hear something that you have a question on, you'd like more information on, please feel free to put it in the chat module, he'll be watching that chat module. Then as soon as this video concludes, he'll go ahead and take Q&A.

So, again, quick introduction on me, in case this is the first time you've attended one of my sessions. My background is as an active duty US Marine and then over a decade as a DoD contractor, additional six years with CMS. So, the sectors I've heavily supported are defense and healthcare and then held roles anywhere from project manager, to engineer, to everything in the chain for the security side. So, today's agenda. So, we're going to talk about security awareness versus best practices, security awareness training, specifically, role-based security training and then, some industry specific versus threat specific type training and then, formal education, which really is more certification-based or degree-based.

Excuse me. So, security awareness versus best practice. So, I put a couple definitions up here, these are just standard internet definitions. And if you notice that the security awareness piece focuses on the knowledge and the attitude the members of the organization possess. And this can be from covering everything from physical security, personnel security, data security. It doesn't really matter what we're talking about from security aspect, it's the knowledge that's tied to it. Whereas, best practices are really methods and techniques that have been accepted by the community or the industry and that should be applied. And a lot of times people know the difference that, hey, security awareness does not mean the same thing as best practice, from an English language perspective. But a lot of times people will confuse the two and, kind of, overlap the two. And in this session, we want to actually separate these.

We won't cover best practices. Although, things that you may learn through security awareness are best practices that should be implemented but the key distinguishing point here is that, you can implement a best practice. You can have, for example, a log-on page before you get onto a corporate or a government workstation, that advices you of the rules and your responsibilities that you have to click okay before you log-on. That can be an industry best practice, everybody should have something like that but that's typically not considered security awareness. Now, we could argue semantics that, anyone who reads it is aware of security, it is adding an additional layer of awareness but the reality is, it's doing nothing for improving your security posture and the knowledge that your personnel have, from an awareness perspective. So, like I said, as you think about different things that you're doing, different things that you see, what are those things that are really considered security awareness and what are those things that are best practices? And we'll get into more detail, again, on everything other than the best practice.

So, security awareness training is a pretty standard and typical thing in organizations these days, I call it SAT training, which is just the acronym for security awareness training. It's typically conducted when a user onboards an organization and then, every year after that. So, someone onboards in August, they're going to take the training and then the organization may say, hey, everybody has to re-certify in January, they take it again and they're good for that next year. A lot of organizations will typically wait until the end of the year to do it because as people come and go, there's a possibility some folks won't have to take the training, i.e, if someone quits in August and your training is not until November, then that's one less employee that you have to worry about, did they complete the training? Was it satisfactory? Et cetera.

One of the challenges with that, obviously, is if you wait until the end of the year, you have holidays and paid time off and things like that, that come up in, kind of, corralling and wrangling all these folks in getting it done on time, can be a challenge. And depending on who you work for, what contract you might support, what government agency, et cetera, they may have rules that are specific to say, it must be done every 365 days. In which case, you can't arbitrarily pick November, unless it's the year that's... it's their second or their third year and they've gotten it done every year, because they could onboard in August and then they don't do it again until the following November and they would've exceeded that 365 day rule. So, just depending on where you are, pay attention to if you have any contractual obligations or framework certification type obligations that require you to show evidence that, if your dates aren't aligned, you could be out of compliance.

Beyond that, though, it really can be free or paid. In most cases, there's not a mandated, here's the one you must go take. However, the two I've included here are widely accepted across the federal government. A lot of organizations use it because it's very good training and if the federal government and the DoD uses it, why not for your own organization? I put the links here, obviously, as a webinar, you can't click on it but you can screen capture this and go take a look at the training. I do want put a note there that, DISA does change things on a, somewhat, frequent basis. So, if this doesn't work, just go ahead and Google the name of this training or DISA cyber awareness, for example, and you'll find the link that works. It's up there every year, they don't take it down but, again, they move it from a folder structure perspective.

And then, most importantly about security awareness training, this is the general knowledge that's applicable to everyone in the organization. So, regardless of your role, title or who you are, if you're c-suite or you're help desk or you're a salesperson, whatever, everybody should know this information and everyone should be required to take this training every year. It's broad and general enough that it's going to cover a lot of topics, it could be phishing and ransomware, social engineering, et cetera. Many of these topics folks are going to know already and they may feel like this is redundant and why do I have to take it? But then, there's almost always going to be a little bit in there that they haven't seen before or is applicable because times change, threats change. Especially with these two training links that are provided here, they do a very good job of updating them and making them really fully immersive to the person that's attending the training.

There's more than just watching videos, there's clicking on things, taking quizzes. So, it really makes you think and it really helps introduce you to topics that maybe you've never experienced or you haven't experienced in a long time and you want to see what's changed in the industry.

Role-based security training is a little bit different. This is typically listed as optional, at most organizations. And the optional piece has a few reasons behind it. One, it takes more time, right? If you're going to implement eight hours of role-based training, you have to afford the employee an opportunity to go take that training. You might need an LMS system, you may have to purchase some form of training. So, it can be more difficult to come by, it does add an additional cost, potentially, but it's still something that organizations should consider and maybe roll out as optional to begin with and then, as your security program matures, you consider making it mandatory.

Now, there are exceptions to this, there are federal contracted language requirements that say, if you're going to work on this federal program, you must do this. In which case, you just simply don't have a choice, it's not optional, because one of the things that you're going to have to do each year is provide an attestation and evidence that you've completed the training, usually in the form of certificates and a ledger. So, if you don't have the certificates, how will you provide that to your core and stay in compliance with your contract? This training, because it's role-based, is specific to the individual's role. So, a systems administrator and a network administrator should be taking two different sets of training, to classify and be compliant under role-based security training. If the individual's in the organization, their responsibilities change, like their permissions, should the training.

I put the permissions thing in there as, kind of, a wink, because there's a couple steps that take place. Let's say I'm a project administrator, project manager, and I'm in that job family of a project manager and then, I move over to a jobs family, like a systems admin. Well, my roles are completely different, so the first thing that should happen is, whatever permissions that I had that I no longer need, should be removed, I'm granted the new roles. But even consider ahead of time, again, if you have a role-based training program that, before you allow that move, the individual should take the role-based training for their next position. It's good security practice just like the SAT training, that they go ahead and take training prior to you granting them privileges to the systems, especially if you're moving into a role where elevated or administrative privileges are typically found.

So, as part of your organizational policy, one of the things that you can do and is often mandated by the federal government when we're working on their contract is that, within X number of days, let's say, 30 days or 60 days, an employee must take that training and then, re-certify annually. Sometimes there's flexibility into, can the person move into that role and then take the training? Other times it's a pretty hard fast security compliance control that says, it must be done before you do it. Very similar to SAT training in a lot of organizations, before your account is enabled, before you can access email or access a system, you must take the training. And, again, sometimes this presents challenges because the person may not even technically be an employee or may not have a workstation. Pre-COVID, maybe that was easier, they could come into an office, sit down at the kiosk, take the training and when they were done, they were granted access.

With a lot of folks being remote, you may run into a situation where you have to give them their corporate equipment first, just so they can simply have something to log-in to or you may have to work out with the employee, here's some web-based training, you can take this from any PC, so go home and use your home PC. Again, that's why the links from the DISA sites can be valuable to you because you don't need a corporate asset to complete the training. And then, this should be looked at as, in addition to, and not in lieu of, annual SAT requirements or training. SAT is, kind of, your base, that must be there and RBST is the next layer are up. And, again, as I mentioned earlier, it's typically conducted via a learning management system or LMS. The LMS offers you a large variety of training courses, it typically has ways that you can track progress, you can see the time spent in training, you can see the certifications.

It serves as a repository, so when an auditor comes in or your core for your program comes in and says, show me evidence. Instead of having to scramble and ask people for certificates, you can export a record from the LMS and it will show all of their completion. One of the other nice things that it does is, it allows you to see how much your organization and your personnel are focusing on security versus other courses or content. You can track a user's actual usage across the entire year. How often did this person sign in? How often did this team? Do we have problems when we look at our phishing program and we see that a particular department, for example, has a higher rate of clickers than another department? And then, you go look and see that, well, they don't spend much time doing training. Maybe that's a good place to start implementing mandated role-based training, for those that are typically found to be the highest rate of clickers or the department, et cetera.

So, there's a lot of ways you can roll this out. One of the other things that LMS does for you is, let's say a person goes in there and some of the trainings have the ability to where you can just fast forward or skip the videos, take the quiz. And they give you an unlimited opportunity to take the quiz. And sometimes the test bank of questions is the same each time, sometimes it's slightly different. If you see that a person spent six minutes in a one hour course and they took the test five times and they got a passing score on their fifth attempt. Did they meet the requirements? Technically, yes. However, they skipped all of the learning aspect of it, which was the videos, the reading materials, et cetera. This is a great way for you to be able to go back and track and say, it's nice that you passed your certificate but you need to go back and watch the video. Or by the way, because you did that, I'm going to go assign you a course where you can't fast forward or skip through things.

Versus, if you just went online to the internet and you found a free course and they had a certificate and the person gives you their certificate, you really have no idea if they actually took the training and learned anything. Some individuals and especially if you're on the security side of the house, this should come as second nature to you. So, it can be an annoyance to security personnel, why do I have to watch a video? I live and breathe this every day, I could pass the test on my first try. But for the majority of the organization, that's not the case.

Industry-specific training. So, obviously, everybody knows there's a lot of different industries, I try to throw a few of them up here just to give you an idea and, kind of, get your brains thinking about how, if what I'm saying doesn't really apply to you on, on one slide, maybe the next one does. So, this is another one of those where, if you don't see something on this slide that really applies to you, just alter it mentally for what is applicable for your industry.

So, finance and banking, they deal a lot with PII and they might be targeting banking transaction processing, retirement plans and wire fraud. So, the first thing that you're doing is, you're looking at, what's the type of data that folks in my industry are responsible for? What types of processes and systems do we use? And then, you're going to go out and look for that training that is specific to your industry and your roles and your responsibilities. You can do this at the role-based security training level as well, where not only are you looking at the person's individual role within the organization but what are the types of data and processes that they're tied to? If they're heavy in one of these industries and they're dealing with wire fraud all day long, for example, or the potential for wire fraud or the potential for having to secure a customer record, then you may want to target training that's specific to them, that helps them.

It will be more beneficial to that user than just a broad piece of security training that says, here's best practices, here's what good hygiene equates to. And for the slide, anywhere where you see PII and PHI, PII, I'm talking about personally identifiable information and PHI, the protected health information. So, anytime we're talking about user information, in general, names, addresses, credit cards, et cetera, we're typically referring to PII. And when we start talking about health care and medical records, stuff like that, we're talking about PHI. So, finance, credit card payment processing, here's another industry, if you will, under the finance vertical, I wanted to put two out there under a particular vertical, because what a credit card payment processing type role does is different than the banking role. They're both finance but you can clearly see, based on how you target training, that the training may not be the same.

You might get lucky and find some training that is adequate for both and if you do, fantastic, but if you're really taking a look at the industry-specific training, you're going to want to target what your employees use and need on a regular basis. You get to defense and you may have anything from personnel records, to medical records, to logistics, supply chain, et cetera, a very wide gamut of topics. So, once again, it could be difficult to find training that covers all of it but it could also be very easy to find training because you have so many different topics to pick from, you may target supply chain this year, medical records next year, et cetera. So, it could be a double-edged sword there. Healthcare, same thing, you're talking about patient records, prescription information, potentially, mental health information. So, there's a lot of training out there on how to protect those kinds of records.

And it even goes a step further, just because of my background in healthcare knowing, there's things that are not only targeted at how do you protect patient data but how about when you're talking to folks on the phone? How about if someone's leaving a voicemail? How about if there's a written document, like a medical record, in a hospital, that's lying around? And what if you're faxing something? There's all these different aspects that you can think about and incorporate into your industry-specific training. And then, energy I threw in there because I think that one's often left out but you have a lot of customer records, payment information, intellectual property. And, specifically, I wanted to put energy on here for intellectual property, that could obviously fall into any other category but that's one of those place is where, hey, as an organization, am I thinking about how to protect intellectual property from a training perspective?

You've probably put some form of control in place or multiple controls in place to try to actually protect that information but how have I trained my personnel on their responsibilities as well as the organizations? Now, you often hear, in many organizations, that security is everyone's responsibility but one of the questions I think most employees would say to themselves is, well, what's my specific role? How can I actually help? I can practice good hygiene and good behaviors but where can I actually help the organization? And these types of industry-specific training is a way to leverage and answer that question for them.

Threat-specific training. If you don't want to go the role or industry type training, maybe take a look at threat-specific. So, you could be looking at things that you see out there on the internet, things that you're hearing about in the news, things that apply to your organization specifically. So, right now, I put ransomware and phishing. Phishing is probably the largest threat that you have right now, ransomware is, oftentimes, kind of, a result of a phishing attack. But since phishing is so prolific in all organizations, maybe you want to focus on that. Maybe you don't care what the role of the individual is, you say, our largest risk is really phishing, let's get some phishing training. Not only can you do some phishing campaigns but you can tie training for anyone who clicks on those campaigns.

You may want to look at social engineering, how are people using social engineering to get into your organization? Are they pretending to be you? Are they pretending to be an IT department or a help desk and get into your organization? Again, it just may depend on the industry you're in, maybe social engineering is not as big a threat to you and maybe insider threats is. So, as you go through the list, you can just, kind of, look at these, there's obviously many more that you could choose from. But this gives you some places to start to say, where should I focus? If you're an application development organization, then intellectual property, your code, how you develop integrating security into development pipeline, all of those things become important, why not focus on some of that training? A lot of folks have physical security that they have to deal with and a lot of folks overlook the physical security aspect.

They, hey, I'm in a building, it's got a card swipe at the front door, it's managed by somebody else and they don't really think beyond that. Well, I'm in a locked building but what happens once they're in your site? I mean, if they can get into your office, for example, for whatever reason or method they use, can they walk in and just grab laptops off of your desk? Can they look at documentation? If you have third-party contractors in there, maybe HVAC people who are working on the heating and cooling systems, can they see information that's on computer screens, that's not protected? That are left unlocked when users walk away. Are users walking away and leaving their ID or their CatCard at their desk? Are they leaving customer records or patient records sitting on their desk? When it should have been locked in cabinets. These are all types of training that are specific to your organization, as well as the threats that are pertinent to your organization, that you could focus on.

And one type, while I'm here, next to internet of things, that zero is supposed to be the closed parentheses, so I apologize for missing that but it's not a misspell in there, that's the acronym for internet of things. And internet of things and bring your own device are becoming two of the, kind of, more popular things that we're seeing in organizations, especially as people work from home. Being able to use a tablet or a personal laptop or whatever, to do work, those are now becoming attack vectors and they're things that you need to focus on. Maybe getting some threat-specific training for that would help your organization.

And formal education. So, the last slide here, certifications-based and degree-based. That's typically the focus but I want to throw a few other little options in there for you, in case you have not looked into these things yet. The first one is seminars and webinars. Obviously, you can take online webinars, from a training perspective, you can pay for these types of things. You can also just watch one like you are right now. Some of the more formal ones have a certificate of completion that you get so that you can show. If you have a role-based program in place and you have to do eight hours, you can show a certificate that says, this person spent one hour on this date and that will help satisfy it. You can go to seminars and conferences. A lot of the big conferences, especially the ones that you have to pay for, when you go in as a registered attendee, you will swipe a badge or they'll scan a badge or a QR code or something and that will show what you have access to.

And then, upon completion of that seminar or that conference, you will normally be emailed or have access to a site where it says, so and so completed 20 hours of whatever training, and that can be applied to your certifications, to your role-based security training, et cetera. You can always go to a college or university for training, typically, there'll be two main tracks that are offered, either a full-fledged degree program like, I want to get a bachelor of science in computer studies or you can have a program certificate. So, within that university and that college, they'll have a certificate, maybe, as a year based or six months based, whatever the case may be. You'll take some targeted training and some targeted classes, you'll receive a certificate. The credits may apply towards the degree program but you're not going to walk out with a degree.

Really, this is more about what fits your needs the best, especially if you, maybe, are transitioning roles and, let's say, that you came from a finance or a legal background and now security and privacy is a hat that you're wearing, maybe going and taking a certificate program is better for you because it, kind of, fills the gaps and gets you up to speed more quickly. And then, online vendor training, a lot of self-study libraries, a lot of pay for a particular course, watch it whenever you want. Some of them you get a whole library, you pay one fee and there could be dozens or hundreds of programs in there. Those are great because your employees, obviously, can study at their own pace. And then, vendor certifications, these, kind of, fall into two areas as well, the certificate of completion, as well as a paid renewable cert. So, the completion one is simply like I said, hey, I went to their website, they were offering a webinar, I get a certificate of completion.

The other one is, I have to actually go pay to take a certification exam and then it's certified and I have the badges and things that I can display in my email signature or on business a card. But I typically have to pay for the test, pay to be certified with them, there's usually an annual fee. And then, there are continuing education credits, in most cases, that are needed to maintain that certification. So, that RBST program will actually help any individual that has the paid renewable certification because they can use those hours spent in the RBST as evidence they're doing continuing education. So, a lot of different options here, I just wanted to throw them out there, to give you something to think about. Obviously, they all come with different costs and levels of effort to implement but I wanted you to know, there's more than just one or two things that you can select from to help build awareness, training and education.

About the Ntiva Cybersecurity for the Rest of Us Livestream

Ntiva’s Dr. Jerry Craig hosts the Cybersecurity for the Rest of Us livestream every other Thursday from 12:00 to 12:30pm ET. These live events, presented by the Ntiva team of cybersecurity experts, are sharply focused, easily digestible, and cover topics surrounding cyber security in today's modern workplace. We take questions from the audience and share what's working for us and others in the industry.