This blog is part of a limited series on California’s Consumer Privacy Act (CCPA) from CompTIA’s IT Security Community. For more, subscribe to updates from CompTIA.org.
A phishing attack can happen in an instant, according to CompTIA member Jessica Schroder. Unfortunately, it's a lesson she once learned the hard way.
The attack came from a tempting email about wire transfers. Someone in a far-off department took the bait and the company’s protected data was instantly in trouble.
“They clicked the link on the spreadsheet and every password in their computer was changed,” said Schroder, now vendor business development manager at TBI Inc. The virus spread and even shut down one chunk of business for 48 hours. She doesn’t blame the user, though—the company was behind on security awareness training and not everyone was up to date on what a phishing attack looks like.
“We hadn’t been proactive with our security awareness training, and now we had a problem we had to deal with,” said Schroder. The company put a policy in place and now does quarterly awareness training, and every employee has to sign off on it.
In addition to saving face, security awareness training offers a ton of benefits, said Schroder, like building better client communications, improved security, improved team confidence and expanded product openings. It’s also part of the compliance goals of California’s Consumer Privacy Act (CCPA). CCPA applies to anyone who annually buys, receives, sells or shares personal information of 50,000+ consumers, households or devices, and those that do will need to prove they’ve offered security awareness training, with user sign off on the education.
“CCPA is big on transparency,” said CompTIA IT Security Community vice chair Lysa Myers, a security researcher for ESET. “You need to show you’re doing due diligence and protecting data and privacy of your users. You need to be able to show that you have been doing your work ahead of time, proactively, to get your employees and customers up to speed on how to protect the data.”
The panel discussed ways they’ve successfully gotten buy-in from users, including these three tried and true methods to get users on board with security goals.
You catch more flies with honey than vinegar and you’ll get more people to complete IT security training with perks than with punishments. Try gift cards or bonuses for the first 10 people to complete the training. Myers recommended making it fun with gamification and positive reinforcement.
“The best way to work with clients is to be consistent and regular in the conversation,” said Jeff Hoffman, president of ACT Network Solutions, a member of CompTIA’s IT Security Community. “The training should be a consistent, otherwise it will be out of sight, out of mind.”
“Companies will often say, ‘We don’t have time, maybe next quarter,’” said Hoffman. “But you’ve got to keep it front and center in the conversation and make sure the supporting information you give them goes to that topic as well.”
After all, it’s not a matter of if a breach will occur only when. “Keep it consistent, keep it regular and keep it in front of them constantly,” Hoffman said.
Keep it Real
Using an emotional hook or good storytelling can get the message across that IT security is essential. Hoffman always keeps a short white paper laying around that details a personal breach experience or a hack that happened locally.
“Not one of your customers wants to be on that segment talking about having their data compromised because they’ve been hacked,” Schroder said.
Pull back the curtain on how exposed they actually are. Do a dark web scan and dig up some company passwords to show them how easy it is, or try a scanning tool to pull up the monetary value of the data they hold — but don’t go overboard trying to convince someone who isn’t going to listen. Some IT security companies will go as far as to put their clients up on a wall of shame for neglecting security protocols.
“There’s only so much you can do,” Myers said. “If someone is determined not to secure those things, they’re going to learn the hard way.”
Use Short Training
Bowling people over with compliance information is never going to work. Try 15 minute increments instead of one or two hour sessions, with regular retraining, suggested Hoffman. “Ask for 15 minutes to interact with people, give them a little group training,” he said.
“You need to give it in bite sized chunks and keep giving it,” said Myers, adding that overall the vibe should be an immersive culture of security. “It should be part of everyday instead of this thing they have to endure periodically or when they first get hired.”
Consistent messaging is the key for Neal Bradbury, senior director of business development, Barracuda MSP and Chair of the IT Security Community. “The first month is education, the second month is testing and the third month, re-education happens for those individuals,” he said. “Every three months it’s a cycle that just runs.”
His company hangs testing around fun holidays like Black Friday and Halloween. “The testing gets more fun when we’re trying to get them to click on fake Valentine’s Day emails,” Bradbury said. “We don’t want them to click at all but we’d rather them click the bad email that we send than the one the hacker sends.”
Phase This Out Right Now
Surprise phishing was once a popular way to test out client compliance; Myers said the story she hears most often involves a surprise phish followed by the humiliation of everybody who clicks on it.
“I’ve heard a lot of righteous indignation from the people who feel tricked by the management. That it’s rude,” said Myers, a security researcher for ESET. “We want people to be shocked into awareness but you don’t want them to get their hackles up before giving them any training.”
If you are going to use phishing, use fun activities and play on special holidays to test things out, suggested Bradbury. Shaming people or unsafe internet practices isn’t the most reliable way to get people on board. “We’d rather have them clicking on our links than the real hackers,” he said.
For more on CCPA and how it can work for your business, follow this series from CompTIA’s IT Security Community.