Gretel Egan, security awareness training strategist for Proofpoint, offers best practices for agencies to keep in mind when training employees and contractors.
Federal, state, and local governments rely heavily on contract workers, perhaps even more so than private industry. Unfortunately, the “in-and-out” nature of contract jobs can result in a feeling of impermanence that permeates throughout certain processes and policies, especially as contract workers generally don’t realize the same benefits as full-time employees.
However, with cybercriminals increasingly targeting individuals rather than infrastructure, both full-time and contract workers are potential cyberattack victims. It’s critical that contract workers are trained to the same degree as full-time employees. Depending on the type of work, government contractors can have high levels of access and privilege — and those with access and privilege should certainly know how to safely and securely navigate their employer’s systems.
Security awareness training initiatives are vital to reducing overall cyberattack risk. In a recent year-over-year global survey of thousands of IT security professionals for the State of the Phish Report, nearly 60% of respondents saw an increase in employee phishing detection following security awareness training.
Ideally, agencies should engage with contractors that have a history of prioritizing cybersecurity, both at a technology level and a behavioral level. Security awareness training has shifted from “nice to have” to “need to have” because employees play a vital role in data and system security. But even if your hires come armed with cybersecurity skills, it’s vital that all workers follow the same policies and procedures, and that consistent actions and security measures are taken across all roles and systems.
It can be challenging for government entities to create a cohesive security awareness training program that resonates across a wide range of roles, responsibilities, and schedules. The following best practices can help agencies create an effective program that overcomes that challenge.
Get in tune with end users
Cybercriminals are laser-focused on identifying potential weak links within government agencies, so it’s imperative that information security teams do everything they can to turn soft spots into points of strength. As an initial step, these teams should take a people-centric approach to cybersecurity education. Training should be meaningful to all end users—and agencies should have the ability to deliver tailored education to the most attacked individuals.
To do this, entities should focus on delivering the right information, to the right people, at the right time. First, assess end users’ vulnerability to social engineering attacks; evaluate general cybersecurity knowledge levels across the employee base; and determine the essential skills that should be built agency-wide.
Then, look deeper and identify the people and departments that are most commonly being attacked by cybercriminals. Once an organization has identified its very attacked people (VAPs) — which are often different from traditional VIPs — it will be clear where opportunity and vulnerability are intersecting. Users who are both frequently attacked and frequently vulnerable to attack represent a perfect storm of sorts, as this crossover increases the risk of a successful phishing attack, malware infection, or worse.
It’s important to note that VAPs often change from agency to agency. In some cases, high-ranking officials’ VIP status also make them a prime target for attackers. But in other cases, it’s lower-level individuals with access and opportunity — like those who manage invoice payments or sensitive vendor and inter-departmental relationships — who are most firmly in attackers’ sights.
Make the most of every training touchpoint
Security awareness training is not different from other forms of education. To be effective, a program needs to do more than just make users aware that threats exist. It needs to teach them how to identify and avoid risky behaviors.
When teaching adult learners, the most successful training programs use interactivity, reinforcement, and the ability to practice new skills. These are all proven learning science principles that result in measurable progress and knowledge retention.
In addition, agencies need to speak the right language to those they’re training and avoid making assumptions about what users do and do not know about cybersecurity. This year’s State of the Phish Report showed that just 66% of working adults are familiar with the definition of “phishing,” and only 45% know the definition of “ransomware.” But it’s not just about recognizing security lingo. Participants should understand the benefits and purpose of what they’re being asked to learn, as well as be familiar with commonly used security terminology.
To amplify knowledge retention, be sure to deploy engaging computer-based security awareness training modules that allow users to go at their own pace and take a hands-on approach to decision-making. Passive content, such as videos and PowerPoint presentations, can also be used to inform and reinforce, but non-interactive tools should not be relied upon to teach new skills. The key is to engage end users, both full-time and contractors. Active participation and interest in cyber hygiene are critical to building the strongest possible last line of defense.
Commit to a continuous training approach
Frequency, flexibility, and customization are often overlooked by agencies that deploy security awareness training programs. Unfortunately, it isn’t enough to deliver training once or twice a year to “check the box.” This approach doesn’t make cybersecurity a regular pursuit and, as a result, does not help end users make cybersecurity best practices a daily habit.
Instead, opt for regular delivery of “bite-sized” training modules that cover specific topics in a short amount of time. A computer-based training platform — one that allows an agency to provide frequent, on-demand education in virtually any location — will help to improve focus and combat training fatigue. And ongoing, regular education does something that monolithic, once-a-year training cannot do: It keeps cybersecurity top-of-mind and builds on foundational knowledge rather than delivering, and redelivering, the same content year after year.
Continuous programs are also, by nature, more flexible than once-a-year training because they afford the opportunity to address trending threats, and to deprioritize education about threats that aren’t as pressing. Threat intelligence isn’t just valuable on the technical front; this information can identify emerging issues that employees should be informed about, and it can guide training schedules. Ransomware is a great example on all levels. This threat virtually exploded on the scene in 2015 and dropped off in a similarly dramatic fashion last year, with other attacks, like credential compromise, taking its place. Once-a-year training wouldn’t have served an agency well during either the rise or decline of this threat.
A continuous approach also allows for greater customization, providing necessary agility. Not all employees have the same levels of cyber knowledge or cyber responsibility. Though broad education about cybersecurity essentials is a great idea, it’s equally important to deliver tailored training based on roles and access privileges.
Ultimately, agencies need to be able to identify VAPs, assess their vulnerability to attacks, and deliver training specifically designed to address the threats they are facing on a regular basis. This level of training agility helps quickly educate targeted users about risky behaviors, and how to avoid them, in the event of an attack spike or shift.
In the end, cybersecurity skills should be thought of as life skills that transcend the workplace. With nearly 40 % of smartphone users saying they use their devices for a mix of personal and business activities, there is a growing need for these skills to be “always on.” Information security teams that want users — employees and contractors alike — to contribute to an agency’s larger cybersecurity infrastructure must take an active role in building knowledge and bettering security postures day to day, in incremental steps. A well-designed, thoughtful security awareness training program can do just that.
Gretel Egan is a security awareness training strategist for Proofpoint, the leading provider of cybersecurity awareness training software that helps organizations educate employees.
Security awareness training: Don’t exclude contract workers
Gretel Egan, security awareness training strategist for Proofpoint, offers best practices for agencies to keep in mind when training employees and contractors.
Federal, state, and local governments rely heavily on contract workers, perhaps even more so than private industry. Unfortunately, the “in-and-out” nature of contract jobs can result in a feeling of impermanence that permeates throughout certain processes and policies, especially as contract workers generally don’t realize the same benefits as full-time employees.
However, with cybercriminals increasingly targeting individuals rather than infrastructure, both full-time and contract workers are potential cyberattack victims. It’s critical that contract workers are trained to the same degree as full-time employees. Depending on the type of work, government contractors can have high levels of access and privilege — and those with access and privilege should certainly know how to safely and securely navigate their employer’s systems.
Security awareness training initiatives are vital to reducing overall cyberattack risk. In a recent year-over-year global survey of thousands of IT security professionals for the State of the Phish Report, nearly 60% of respondents saw an increase in employee phishing detection following security awareness training.
Ideally, agencies should engage with contractors that have a history of prioritizing cybersecurity, both at a technology level and a behavioral level. Security awareness training has shifted from “nice to have” to “need to have” because employees play a vital role in data and system security. But even if your hires come armed with cybersecurity skills, it’s vital that all workers follow the same policies and procedures, and that consistent actions and security measures are taken across all roles and systems.
Join us Jan. 27 for our Industry Exchange Cyber 2025 event where industry leaders will share the latest cybersecurity strategies and technologies.
Building a cohesive program to reach everyone
It can be challenging for government entities to create a cohesive security awareness training program that resonates across a wide range of roles, responsibilities, and schedules. The following best practices can help agencies create an effective program that overcomes that challenge.
Get in tune with end users
Cybercriminals are laser-focused on identifying potential weak links within government agencies, so it’s imperative that information security teams do everything they can to turn soft spots into points of strength. As an initial step, these teams should take a people-centric approach to cybersecurity education. Training should be meaningful to all end users—and agencies should have the ability to deliver tailored education to the most attacked individuals.
To do this, entities should focus on delivering the right information, to the right people, at the right time. First, assess end users’ vulnerability to social engineering attacks; evaluate general cybersecurity knowledge levels across the employee base; and determine the essential skills that should be built agency-wide.
Then, look deeper and identify the people and departments that are most commonly being attacked by cybercriminals. Once an organization has identified its very attacked people (VAPs) — which are often different from traditional VIPs — it will be clear where opportunity and vulnerability are intersecting. Users who are both frequently attacked and frequently vulnerable to attack represent a perfect storm of sorts, as this crossover increases the risk of a successful phishing attack, malware infection, or worse.
It’s important to note that VAPs often change from agency to agency. In some cases, high-ranking officials’ VIP status also make them a prime target for attackers. But in other cases, it’s lower-level individuals with access and opportunity — like those who manage invoice payments or sensitive vendor and inter-departmental relationships — who are most firmly in attackers’ sights.
Make the most of every training touchpoint
Security awareness training is not different from other forms of education. To be effective, a program needs to do more than just make users aware that threats exist. It needs to teach them how to identify and avoid risky behaviors.
When teaching adult learners, the most successful training programs use interactivity, reinforcement, and the ability to practice new skills. These are all proven learning science principles that result in measurable progress and knowledge retention.
In addition, agencies need to speak the right language to those they’re training and avoid making assumptions about what users do and do not know about cybersecurity. This year’s State of the Phish Report showed that just 66% of working adults are familiar with the definition of “phishing,” and only 45% know the definition of “ransomware.” But it’s not just about recognizing security lingo. Participants should understand the benefits and purpose of what they’re being asked to learn, as well as be familiar with commonly used security terminology.
Read more: Commentary
To amplify knowledge retention, be sure to deploy engaging computer-based security awareness training modules that allow users to go at their own pace and take a hands-on approach to decision-making. Passive content, such as videos and PowerPoint presentations, can also be used to inform and reinforce, but non-interactive tools should not be relied upon to teach new skills. The key is to engage end users, both full-time and contractors. Active participation and interest in cyber hygiene are critical to building the strongest possible last line of defense.
Commit to a continuous training approach
Frequency, flexibility, and customization are often overlooked by agencies that deploy security awareness training programs. Unfortunately, it isn’t enough to deliver training once or twice a year to “check the box.” This approach doesn’t make cybersecurity a regular pursuit and, as a result, does not help end users make cybersecurity best practices a daily habit.
Instead, opt for regular delivery of “bite-sized” training modules that cover specific topics in a short amount of time. A computer-based training platform — one that allows an agency to provide frequent, on-demand education in virtually any location — will help to improve focus and combat training fatigue. And ongoing, regular education does something that monolithic, once-a-year training cannot do: It keeps cybersecurity top-of-mind and builds on foundational knowledge rather than delivering, and redelivering, the same content year after year.
Continuous programs are also, by nature, more flexible than once-a-year training because they afford the opportunity to address trending threats, and to deprioritize education about threats that aren’t as pressing. Threat intelligence isn’t just valuable on the technical front; this information can identify emerging issues that employees should be informed about, and it can guide training schedules. Ransomware is a great example on all levels. This threat virtually exploded on the scene in 2015 and dropped off in a similarly dramatic fashion last year, with other attacks, like credential compromise, taking its place. Once-a-year training wouldn’t have served an agency well during either the rise or decline of this threat.
A continuous approach also allows for greater customization, providing necessary agility. Not all employees have the same levels of cyber knowledge or cyber responsibility. Though broad education about cybersecurity essentials is a great idea, it’s equally important to deliver tailored training based on roles and access privileges.
Ultimately, agencies need to be able to identify VAPs, assess their vulnerability to attacks, and deliver training specifically designed to address the threats they are facing on a regular basis. This level of training agility helps quickly educate targeted users about risky behaviors, and how to avoid them, in the event of an attack spike or shift.
In the end, cybersecurity skills should be thought of as life skills that transcend the workplace. With nearly 40 % of smartphone users saying they use their devices for a mix of personal and business activities, there is a growing need for these skills to be “always on.” Information security teams that want users — employees and contractors alike — to contribute to an agency’s larger cybersecurity infrastructure must take an active role in building knowledge and bettering security postures day to day, in incremental steps. A well-designed, thoughtful security awareness training program can do just that.
Sign up for our daily newsletter so you never miss a beat on all things federal
Gretel Egan is a security awareness training strategist for Proofpoint, the leading provider of cybersecurity awareness training software that helps organizations educate employees.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
Email: the often neglected cybersecurity threat
Trust is of utmost importance in Coast Guard email correspondence
For vendors, DoD’s CUI requirements more than an exercise