Every organization needs security awareness training (SAT). And we mean every. PDQ employs a ridiculous number of sysadmins, so our team has a higher level of cybersecurity knowledge than most. But at the same time, even expert users need a regular refresher to keep cybersecurity concerns at the top of their minds. That’s why PDQ’s senior SOC analyst, Rachel Coleman, carefully overhauled our training program, dropping the risk score by 4.5 points. We’ll break down how she achieved this incredible feat.
Becoming difficult to ignore
When Rachel started at PDQ, the existing security awareness training solution sent out training every two weeks. It only showed training completion without providing insight into users’ actual security awareness. And as anyone who has taken a pass/fail class will tell you, it’s all too easy to cut corners when you know you won’t be scored.
“People probably just put it [the security training] in another tab, muted it, let it play, and then closed it when it was done,” Rachel said.
Security awareness training only works if users pay attention, so Rachel knew she needed to find something that would hold people’s interest. Or at least that they wouldn’t actively avoid.
Leveraging numbers to make a change
To make the case to management, Rachel and Josh Mackelprang, Director of Service Operations, broke down the numbers. They compared the costs of the existing solution to the cost of KnowBe4, contrasting the potential benefits. From a business perspective, the switch just made sense.
And with an upgraded security awareness training solution that provides more data, the team now shows its success using a wider array of metrics, including numbers of incidents, false positives, internal investigations, and proneness to phishing.
A high-quality security awareness training solution provides rich data you can use to verify its effectiveness and assess your users’ skills. Beyond merely confirming user participation, you can often see their phishing-proneness, quiz scores, and skill improvement. Plus, all these reports help you show regulatory compliance. Not to mention the fact that a good report is the quickest route to the heart of even the most cantankerous boss.
Welcoming input
When something affects the whole company, you can expect everyone to have opinions — especially when you require a bunch of sysadmins to complete regular security awareness training. To make our SAT program as effective as possible, Rachel and Josh actively solicited feedback throughout the process.
Josh polled managers to determine their frequency preferences, and Rachel figured out how those preferences aligned with her workflow. They ultimately settled on shorter monthly assignments. This schedule also gives Rachel the time she needs to review the options and select training that educates while still being enjoyable.
Rather than assigning topics that aren’t relevant to our users, like HIPAA, Rachel focuses on issues we can all relate to, like working from home, password hygiene, cloud safety, and data protection. She also tries to assign interactive content to make it more memorable.
Unfortunately, no training will entertain everyone, especially since most options cover the same few topics. But even negative feedback jumpstarts the security conversation.
“I love it when people come up and complain to me about it,” Rachel said. “At least they’re talking about it with me!”
Since Rachel implemented these changes, she also doesn’t have to reach out as often to get people to complete their training. She attributes much of this success to giving people more of a say in the training process.
Tracking signs of improvement
Beyond the obvious indications that the revamped security awareness training program is working (increased compliance, more open conversations about security, and the lack of pitch-fork-wielding users at her office door), Rachel has collected troves of data to show the effects of the new program.
As noted earlier, PDQ’s risk score dropped 4.5 points since making the switch. In addition, our phish-prone percentage is down to 12% compared to the industry average of 25%. And with each campaign, we’re trending downward for phishing email clicks and upward for phishing reporting.
“If we're doing training that is harder to detect than an actual phishing email, then I think we're winning,” Rachel said.
Rachel is happy when people report suspicious emails, even if they aren’t phishing, because it shows they’re paying attention. Nowadays, some of the most phish-prone people at PDQ (users who’ve historically fallen for more phishing attacks) also catch and report the most potential phishing emails. And perhaps best of all, many users catch and report real phishing emails for Rachel to investigate and refer to Microsoft.
“It’s created this culture where people are afraid of their email, and rightfully so.” Rachel said. “It’s a pit of doom, and it’s always been so. It’s so easy to spoof email addresses and trick people.”
Refining the approach
While the existing approach to training is going swimmingly, Rachel plans to continue to refine it. She conducted a security culture survey to see how people felt about the program. By repeating the survey next year, she’ll be able to see how user opinions change over time and leverage that information to adjust the program accordingly.
In the future, she also hopes to put out PDQ-specific videos to focus more squarely on the things team members want to learn about, like how to use our password manager. And since people know her, putting a familiar face behind the message might make it more impactful.
At PDQ, we’re a little spoiled. Since the company was created by sysadmins, for sysadmins, it’s willing and eager to invest in a security expert and training resources instead of pawning SAT off on the nearest sysadmin.
But if you’re a sysadmin trying to manage everything yourself, you have our sympathies. Please take advantage of this free trial of PDQ to carve out a little more time in your schedule. Our automated device management features reduce the manual workload so you have more time to do — well, everything else.
