The Ins and Outs of Security Awareness Training

One of your customers’ employees logs into their computer. They get an email from someone claiming to be their IT service provider, saying they must reset their password immediately (even though there wasn’t any warning beforehand). They click a link without checking the destination URL, go to a phishing site, and enter the credentials for their email. The criminal now has access to their email credentials and starts a spear-phishing campaign.

This scenario could have been avoided with a little caution. Solid security awareness training should have helped this employee think twice. Unfortunately, many businesses see training as a box they have to check for compliance. Employees often walk away and forget the training.

As a managed services provider (MSP), you can’t afford to be like most businesses. You must make these trainings as memorable as possible so employees remember what they have been taught. Beyond the security benefit, strong training helps reinforce your MSP brand and demonstrate the value you bring to the table.

Today, I’ll talk about what to include in security training. Just as important, I’ll talk about how to cover these topics.

The nuts and bolts of security awareness training

Before I get into the “how,” let’s talk about the “what.”

First, decide the level of training you must give to your clients, and tailor your presentations appropriately. In some cases, you’ll focus on compliance issues like HIPAA, PCI DSS, SOX, or GDPR. In other cases, you simply need to teach users good security policies.

Regardless, most trainings should include at least the following:

• Phishing and social engineering: Users need to learn how to recognize phishing scams. Teach them to exercise caution around emails or websites that seem suspicious. In the example at the beginning of this post, the employee should have double checked the email domain before clicking the link to make sure it really came from their MSP. There are other signs as well—they could have looked for bad grammar or misspellings, and they should have immediately been suspicious that someone was asking for their user credentials. Make sure to cover these signs of phishing to keep users safe.
• Password policies: Cover the importance of password strength and explain what makes a password strong. Remind them never to write the password down or store it in plain text. Additionally, you may want to show them how to enable two-factor authentication (2FA). Tell them to avoid using passwords across services. While covering passwords and authentication, part of your job involves persuading users why the inconvenience of 2FA or complex passwords matter. They’re small prices to pay for protecting the business (and their employees) from data breaches.
• Device policies: Discuss the rules around fair use and how to properly secure and store devices. For example, make sure employees don’t leave their machines unlocked when they leave their desks.
• Physical security: Remind employees to keep unknown people out of the building. In fact, even if they know the person, they should make sure they have their badges (to avoid a disgruntled employee starting a malicious insider attack). Remind them not to leave devices unattended in unsafe areas (like leaving their laptops on the ground while in the airport or sitting in open view in the car). Additionally, remind them never to store sensitive data out in the open, such as leaving printed forms with sensitive data sitting on their desks.

There are certainly more areas to cover. However, these should get you started.

How to make training engaging

Training employees is one thing; helping them retain information is another. You’re aiming not just for knowledge here—you want behavioral change.

First, consider going on site to offer the training rather than doing it online. For starters, it’s a great opportunity for you to reinforce your brand and the value you provide to customers. But more importantly, you get to engage the audience in person, make sure people pay attention, and help reinforce the concepts. If people don’t seem to truly understand the content, you can’t adapt your explanation.

Second, don’t lecture—involve the group. This can reinforce learning. Ask questions about the training, and consider offering rewards for participation (like a branded giveaway).

One interesting tip—ask the group to explain what you’ve taught in their own words. This can reinforce retention, and it also gives you real-time feedback on your audience’s understanding. You can correct misunderstandings, help your audience learn more efficiently, and also get tips on how to improve.

Additionally, try to use real-life examples to reinforce concepts. The language that you use really makes a difference. A 20 year old may be more concerned with their social media account being hacked and not their retirement account.

Finally, have handouts and leave behinds ready to go. Posters and reminder cards may be old school but they really do work to create a culture of security. This can also be a great branding opportunity for your MSP

Security training: more than a checkmark

Many companies hold trainings only to protect them from liability or to meet a compliance goal, but service providers need to go beyond this. People are often the weak link. Employees  make mistakes that expose organizations. As a service provider, you must do your best to not only offer security trainings but make them engaging so your customers’ employees retain the information and, hopefully, think twice before putting the company at risk.

Additional reading:

• Security Awareness Training Tips

Tim Brown is VP of Security for SolarWinds MSP. He has over 20 years of experience developing and implementing security technology, including identity and access management, vulnerability assessment, security compliance, threat research, vulnerability management, encryption, managed security services, and cloud security. Tim’s experience has made him an in-demand expert on cybersecurity, and has taken him from meeting with members of Congress and the Senate to the Situation Room in the White House. Additionally, Tim has been central in driving advancements in identity frameworks, has worked with the US government on security initiatives, and holds 18 patents on security-related topics.