Security Training How to ensure your training is effective

Providing engaging training for your employees

The best way to solve this issue is to provide training that is interesting, interactive, and engaging. A great example would be the Defense.com videos offered. They provide a fun, informative and with the inclusion of exams, interactive way to train staff on cyber security. Even just informal quiz sheets could help staff retain the information and put it into practice when the situation arises. As another point, while security training should cover a range of, or a specific topic, it should include any procedures that staff should know. For example, what to do if they think they have discovered a data breach, when they should report it, who they should report it to and what information is required from them.

To provide an example of useful cyber security training sessions I sat down with Luke Peach, Head of Compliance Services, at Bulletproof to discuss some of the training he has provided in the past:

Q: So, Luke what do you think makes a great and effective Cyber Security Training Session

A: You’ve got to make the topic engaging. It’s the biggest thing every training session needs. For lack of a better term, if you are not in a compliance or an IT Team it’s not important, as that is handled by compliance or IT. So, trying to teach a salesperson, a marketing person, an HR person about information security, cyber security, and so on is difficult and therefore you are on the backfoot. So, the key is to make it relevant in a way that it can relate to their everyday lives, using examples they would use without being too technical but still getting the message across.

I think what I tend to do well is to try to do my best to make it entertaining. I see myself as more of a stand-up comedian, standing up there and making people laugh, making sure they’re not looking down at their phones or distracted by their desktops that might be next to them. If it’s a remote training session, I try to command their attention by either the stories that I make or the aura I give off.

I would usually start it all off with the question, ‘Elephant in the room guys, I know this topic is boring as hell’ and so I set the expectations straight away that I’m sort of one of them or I’m on their side in the sense that I know this is boring. But trust me, stick with me and maybe I’ll make you laugh and maybe I’ll say a few things that are good.

Q: Do you have an example of a particular training session you have delivered, what was involved and how did it help the people involved. 

A: Yes. So, I’ve got a very good relationship with a company up in Scotland to the point where they are having me back this year as well and my point of contact might even make me come back every other year after that as long as he can right. So, historically the company needed someone to really come in and improve cyber security and information security awareness. My contact at this company was doing that and he said that one thing that he was really struggling with, was to get people engaged and to get people to really sort of care about it outside of a policy document here and there.

So, when I went to Scotland, we rented out an event space and I did three things.

The first thing I did was the standard PowerPoint presentation where you go through certain topics and I particularly find when you talk about social media and you go around, you say your Facebook, have you got Twitter, have you got Instagram, Bebo, Myspace, all these other ones that have been around again, because everybody’s got those kind of things, everybody can relate to those things. Getting scam phone calls is another one, because everyone gets scam phone calls and scam text messages or at least they did a few years ago before GDPR started cracking down on it.

So, I did that, and of course, because you’re in a room with everybody, you don’t have the struggle of remote working training.

The second thing I did was I got everyone to watch an episode of The Simpsons, specifically season 33 episode 2. ‘Bart goes to jail’, in that one, Grandpa Simpson suffers a vishing attack and it’s all about how the Simpsons try and get his money back. They do this by doing some cyber security related activities, such as social engineering, IP tracking and then going to the office where the scammers are located and stealing all their gift cards, they used stolen money from others to obtain to get people their money back and so on and so forth.

This of course engages people because who doesn’t like watching The Simpsons at work instead of doing work at work as some people have put it.

The third element was a tabletop exercise that involved Lego. In this exercise I put people into small groups, and told them to pretend that I’ve hired them to be my crack security team. I’ve not invested in any Cyber Security for my small business and am going to give them a budget of £300,000 a year to spend. They had then a shopping list of different cyber security related initiatives like policies and procedures, CCTV Camera, all that kind of stuff and everything like that had a price next to it. They have the £300,000 to spend and the question was talk amongst yourselves, what do you prioritise to be the main things you want from a security aspect?

The idea was once they've told me what they're going to spend it on, they used the Lego to build representations of what they've bought. Someone did make an antivirus shield once, which was very, very good. That was then followed by me saying to randomly pick from these envelopes. Inside each of these envelopes is a security incident because security incidents can come from anywhere at any time, using any means and all that kind of stuff. And the question was, ‘did the things you buy help you in any way?’ The lesson learnt is if you're investing in security, then you're doing a good thing. You will be able to help 9 times out of 10, even a little bit by investing in Cyber Security. There's also one where you can't defend against it at all called a zero-day attack. And that is to show you that no matter how much you invest, there is still obviously the issue out there that you could face something new to the world. And that opened a lot of people's eyes and what I do is I run that simulation twice with them because when they go through year two and they give them another £300,000, what they learnt from the first year, whatever they take into the second year. And of course, everybody likes Lego. So, it's a win - win for me really. And that I thought was particularly successful. I've tried to nurture my relationship with that customer over time. I've, written one of their Cyber Security newsletters for them. I was a guest publisher on that and even after the session a few of them wanted to go out for a drink with me. So, I'd like to think that I made a good connection.

Q: How can a company attend one of these in person events, are they all scheduled, or can a company request a private session? 

A: I only do private sessions; it is very rare for us to do a public training session. We have done a couple of them in the past, so keep an eye on the Bulletproof and Defense.com Social media channels. I believe we’ve done a hacking event where we tried to teach people the mind of a hacker. So, my advice there would be keep an eye on social media as these events do happen but are not that common. Most of my training sessions are private and you would book this by getting in touch with the Sales team or an Account Manager and they would get you on a scoping call with me.

This call would cover some of the following topics:

• How many staff have you got?
• Where are you based?
• What kind of training programs have you done before?
• What has been successful in the past, what hasn’t?
• Are there any other messages you want to get across?
• Time and dates for booking

I take what has been discussed and look at our training that we already have, if it fits with no changes that’s great if not, I will personalise it more and update it to fit as necessary. Then about a week before the training session, I will meet up with my point of contact and show them what has been made to make sure they are happy. After that we either deliver the training via Teams or travel to their office/venue of choice and deliver the training.

Q: How can an organisation ensure that any Security Training they have is up to date and helpful to their staff.  

A: They need to go for a trusted cyber security provider to ensure that it is up to date. For example, everything I teach people I hear from around the business, and I must keep on top of it as I am the Head of Compliance Services. Therefore, I need to know all the latest information security and cyber security regulations. Whereas if you maybe even go to a contracted trainer, then they may not be engrossed in that day-to-day business, so they might not have the most up to date information. Some of them might and fair play if they do, but I think it would give me more confidence as a business owner to get it from a specialised cyber security company with qualified people. There are qualifications that we hold at bulletproof for Adult Education, for example I am a Level 2 qualified trainer at the moment. So, it’s those kinds of things that can give you confidence.

In terms of the second part of your question, like how they can make sure it’s effective or good for their staff, right. There’s a couple of ways, number one we do knowledge checks so it’s always good to verify if the information has sunk in. What we tend to do is send out these knowledge checkers after about a month or two because that confirms if the knowledge is still available. Another thing we do is we do combine our training services with some of our other services. So, we offer a phishing simulation tool in defense.com which allows us to send fake phishing emails to a company, then obviously if you’re training’s been good, hopefully the amount of people clicking on the links and submitting data will be significantly less. We can do them before the training and after so you can see the difference as well.

I think the best compliment I've ever had is the IT person telling me that after a training session I've done, they've got 10 times busier because more people are reporting data breaches, Cyber Security issues and phishing emails.

For example, Luke keeps up to date on all information and gets his information from the industry and all the people in the company. They are all qualified individuals and not just in Cyber Sec.

To ensure its up to date we send knowledge trackers about a month or so later to check the knowledge is still there. There are also phishing tools we use that can help ensure that all users are aware of what is expected.

Q: What can bulletproof offer to help companies of any size manage their Information security services, security policies and information security training and awareness?

A: So, the training, as I’ve already mentioned, we offer multiple different options in person, remote, fully custom, out-of-the-box video training we pretty much offer it all. If you want something completely bespoke, like something I don’t even do yet and the concept hasn’t even come into my head talk to us, get on a scope call with us and I will figure out what you need, and we’ll work together to do it. For added context, another thing we have done for people in the past is we’ve done a presentation with a magician because we had someone who came to us who had real concerns that people were not going to pay attention to training because of historical efforts to try and train staff. So, we had a 30-minute presentation and for 5 minutes we discuss parts of the topics, like passwords and then for 5 minutes the magician would do a password based magic trick. The idea was that you would be in a state of wow and pay attention due to this.

In terms of helping a business with everything else of all sizes, all our products are scalable. You know we have a data protection officer service and a VCISO service and all of those require an initial conversation between the business and us to find out how big you are, what your requirements are, and we will never over quote for the time that the customer needs and training can form part of those other two services as well. So, we can even come to some sort of agreement where you get your training your DPO service and so on and so forth. So, I guess the bottom line is talk to us and there is always a way to discuss and find a solution from a project.

Q: Are there any final tips you would recommend to companies to keep their security training regime effective? 

A: Follow up don’t treat it as a one and done exercise. If you find a good trainer keep with them as a new trainer may undo it all. It doesn’t just get boiled down to that one session, update newsletters, put breaches you’ve seen in the news in a slack channel. From a best practices perspective do training once a year but usually 2-3 times a year is better.

We do security, GDPR, incident response training top awareness and PCI DSS awareness training.

Adam Smith one of the Assessors within the Cyber Essentials team has also made a gameshow style activity where contestants answer increasingly difficult cyber security questions that they have been taught about in the training session. This is a great way to keep people engaged as it encourages discussion and recalling all the information from the day’s training session.

It is worth noting however, that Bulletproof does offer the ability to combine this training with a Social Engineering engagement. This means that you can schedule a Pentest to be conducted focusing on the people, using attacks such as advanced phishing techniques, impersonation attacks or media baiting. However, for some Companies this may not be enough and if needed Bulletproof offers the ability to outsource responsibility to one of our consultants who can help manage these systems, including cyber security training, Pen tests and the creation and review of cyber security policies as part of our VCISO package.

Ultimately there is no one size fits all solution, however the points described here by Luke and the methods used by the other Staff of Bulletproof like Adam, can help encourage an effective approach at cyber security training. The most important thing to remember is regardless of the option chosen, the more engaging and tailored to your audience a training solution is the more it will be retained by users. We will also always aim to provide an appropriate package to help companies of any size meet their training requirements.