Does third-party security awareness training work?

Being a security company, Rapid7 has to take special interest in making sure its 1,000 employees do not succumb to phishing and the like. At a recent CSO50 conference, speakers discussed their security awareness training. Katie Ledoux, senior security analyst at Rapid7, asked about the effectiveness of third parties conducting the training. In a follow QA, Managing Editor Ryan Francis discusses with Ledoux how Rapid7 approach security awareness training.

What is the overall purpose of third party security awareness training programs? How might they help security teams?

Employees are part of our company’s attack surface, and it’s our responsibility to make sure they have the knowledge and tools necessary to defend themselves and the organization against threats. This might include training on subjects like phishing, mobile security, physical security, password security, etc. In short, these programs empower employees to act as an extension of the security team, spotting and reporting threats.

Depending on the size of the organization, its internal resources, its budget, etc., it may or may not make sense to bring in a third party to assist with security awareness training activities.

What kinds of threats can be simulated/what can security pros be trained on? (Phishing? Malware? Ransomware?)

To clarify, when we talk about security awareness training, we’re talking about training that is deployed across the organization (vs training completed by members of our security team -- our security team members have a lot of training opportunities but that’s a whole different ball of wax).

When you’re deciding what threats to focus on, consider what threats employees are most likely to encounter, and which of those could have the biggest impact on your organization.

We have to remember that while security is the top priority for our team, other teams have their own set of goals. When deploying security awareness training, we need to be cognizant of their time. One way we can do that is by leveraging role-based training that is customized based on an employee’s role. This ensures all of the content is relevant to the individual and the work they do, allowing employees to focus on what matters and get back to work as quickly as possible. If you don’t have the bandwidth to offer role-based training, do your best to focus on the threats that are most relevant to your users as a whole.

With your in-house training supplementing the third party training, how did you decide who would conduct which part?

Any time we decide whether to outsource something or build it internally, we do a quick cost-benefit analysis. We dogfood Rapid7 tools to deploy phishing drills internally. In addition to being relatively quick and easy, let’s be real, coming up with simulated phishing attacks to test your coworkers is super fun.

Rapid7 has grown extremely quickly over the past few years, and in-person training (1:1 or 1:many) simply doesn't scale. Thus, we found it necessary to incorporate online training modules and tests into our security awareness program. This seemed like an obvious opportunity to leverage a third party resource.

Why do you think the third party training wasn’t beneficial?

We don’t think our first stab at leveraging online training was useless, we just know that we can do better.

Benefits of using online training:

• Creating your own training is resource-intensive.
• Building an in-house security awareness training program isn’t a one-and-done project, it requires perpetual upkeep. Training will have to be regularly updated to address new and evolving threats, and you may need a third party to handle that for you.
• A third party may be able to provide the platform you need to deploy and measure the results of training.

Benefits of creating our own training modules:

• You can make something that’s consistent with your company culture. Rapid7 is a fun and fast-moving company with a lot of different personalities (think: varying typical patterns of behavior) to consider. Relying heavily on stale, corporate online security awareness training was a mistake. If you work in a different environment where people are used to that level of formality, maybe it works for you, but it wasn’t a good fit for us.
• You can make something that’s customized and tailored to your organization’s needs. When we deployed online security awareness training, our users were quick to point out that some of the instructions outlined in the videos were not aligned with our internal policies. For example, one module told them to delete and not interact with phishing emails. Fundamentally this isn’t bad advice, but at Rapid7, we ask our users to report phishing attempts so our team can take action accordingly.

Frankly, most companies don’t have a choice. At Rapid7, we have the resources and internal buy-in to build online training modules internally. People are excited about it. The first time we brought up making our own security awareness training modules, people immediately started asking their managers if they could allocate time to this project, and one person even insisted we start storyboarding the concept that weekend. It would likely be difficult to generate that level of passion and engagement around a concept like this at 99.99% of companies.

Ultimately, the right choice for us will likely be a combination of in-house and 3rd party training. We can create something internally that will be leveraged across the company, and online modules/courses for more advanced, role-based training, deployed to users on an as-needed basis.

Even if you’re leveraging third party solutions for security awareness training, there are still things you can do to make it your own, and customize it for your organization. For example, you can brand the program and create incentives for employees to complete various training activities.

How often do you conduct training? How is it delivered?

Right now, Rapid7 employees complete online security awareness training at least annually, and phishing drills are conducted on a regular basis (we don’t have an exact cadence… after all… we want it to be a surprise!)

Have you had issues in the past of employees clicking on links (spearphishing)?

Every company does. If they say they don’t, they’re most likely misinformed. We recognize that it’s a serious risk.

I do want to acknowledge that we have the benefit of a heightened level security awareness at Rapid7 since we’re a security company and it’s a huge part of our day-to-day life, and our watercooler talk. We have controls in place to detect and filter as many phishing attempts as possible before they reach out employees, but when attacks inevitably slip through the cracks or reach our team through unconventional channels, our employees are pretty great at spotting and reporting phishing attempts. That certainly doesn’t mean we’re invincible, and organic security awareness does not replace the need for a formal training program. No one is immune to this type of attack. Sophisticated phishing attacks can fool even the savviest security expert. We have to combat them as best we can with technical controls and continued education.