#InfosecNA: The Benefits of Training Employees to Hack – Infosecurity Magazine

For most corporate denizens, security training is an unpleasant but necessary evil, but does it have to be? Not according to Kris Martel, CISO of Imagine IT, who uses a highly interactive approach to create an engaging, entertaining learning environment that makes security meaningful and interesting to the average employee.

Speaking at Infosecurity ISACA North America Expo and Conference in New York, Martel shared some of the things he uses in his trainings to help improve security awareness and compliance, and have employees eagerly awaiting their next session.

Cyber awareness training must change audience perception by making it [security] relevant to the organization or the individuals youre teaching, said Martel. The way to do that is to make it engaging, interactive and fun and unpredictable, he added. One of the ways he engages employees is to teach them real-world hacking skills, including how to craft effective phishing attacks, helping them learn who has their Facebook login and taking them on guided tours of the Dark Web. Whenever possible, Martel finds ways to reward participation with small but popular tokens such as preferred parking spots, movie tickets and, in some cases, internal cryptocurrency.

Martel has developed a fun, and effective way to deal with experienced cyber-workers who dont take the training seriously because they believe they are too smart to be hacked by offering them a friendly challenge. After a co-worker accepts the challenge, he begins a surveillance phase which, depending on how good his opponent is, can last anywhere from a few days to a few months. In one case, with an especially cyber-savvy individual, his usual hunt within social media, inquiries with co-workers, and other tactics failed to produce anything. Even though they had effectively hosted themselves, including paying a service to erase their profile from the internet, he did find evidence of their activity on Amazon which enabled him to craft a phishing attack that eventually proved effective in gaining his victims credentials. Although it took four months to execute, Martel felt it was worth it after the employee agreed to go to training and he got a good story out of it to share with his colleagues.

Here are a few of Martels key takeaways:

Applying these tactics helped Martel stimulate a 70% increase in reporting of phishing attacks, a 45% reduction in the success rate of phishing attacks, and a 94% positive rating on his course feedback surveys. I knew things had changed when people started asking me when the next security training session was going to be held, he concluded.

How to make security awareness training more effective and engaging

For most corporate denizens, security training is an unpleasant but necessary evil, but does it have to be? Not according to Kris Martel, CISO of Imagine IT, who uses a highly interactive approach to create an engaging, entertaining learning environment that makes security meaningful and interesting to the average employee.

Speaking at Infosecurity ISACA North America Expo and Conference in New York, Martel shared some of the things he uses in his trainings to help improve security awareness and compliance, and have employees eagerly awaiting their next session.

Cyber awareness training must change audience perception by making it [security] relevant to the organization or the individuals youre teaching, said Martel. The way to do that is to make it engaging, interactive and fun and unpredictable, he added. One of the ways he engages employees is to teach them real-world hacking skills, including how to craft effective phishing attacks, helping them learn who has their Facebook login and taking them on guided tours of the Dark Web. Whenever possible, Martel finds ways to reward participation with small but popular tokens such as preferred parking spots, movie tickets and, in some cases, internal cryptocurrency.

Martel has developed a fun, and effective way to deal with experienced cyber-workers who dont take the training seriously because they believe they are too smart to be hacked by offering them a friendly challenge. After a co-worker accepts the challenge, he begins a surveillance phase which, depending on how good his opponent is, can last anywhere from a few days to a few months. In one case, with an especially cyber-savvy individual, his usual hunt within social media, inquiries with co-workers, and other tactics failed to produce anything. Even though they had effectively hosted themselves, including paying a service to erase their profile from the internet, he did find evidence of their activity on Amazon which enabled him to craft a phishing attack that eventually proved effective in gaining his victims credentials. Although it took four months to execute, Martel felt it was worth it after the employee agreed to go to training and he got a good story out of it to share with his colleagues.

Here are a few of Martels key takeaways:

Applying these tactics helped Martel stimulate a 70% increase in reporting of phishing attacks, a 45% reduction in the success rate of phishing attacks, and a 94% positive rating on his course feedback surveys. I knew things had changed when people started asking me when the next security training session was going to be held, he concluded.

Excerpt from:
#InfosecNA: The Benefits of Training Employees to Hack - Infosecurity Magazine

Related Posts

Comments are closed.