Field Notes

Security training overload

By Nate Lee, co-founder of TrustMind

Users often don’t take away the most important bits from security training because we try to cram in everything that can go wrong. Want to more effectively help users be secure? Focus.

Security training overload

Users often don’t take away the most important bits from security training because we try to cram in everything that can go wrong. Want to more effectively help users be secure? Focus.

People have limited time and attention. Despite our deepest wishes, security awareness isn’t likely to capture much of it. This means you need a relentless focus on what’s most important.

What’s most important to cover depends on the employee’s job. Dave in finance should be aware of the latest social engineering tricks so he doesn’t buy another batch of Amazon gift cards for the CEO while Tina in devops may benefit from a refresher on key management with best practices for cloud security.

Trying to cover everything that might be important in 45 minutes of annual awareness training leaves users not knowing what was actually important to remember. There’s a reason we don’t teach people language by giving them a German dictionary.

Here’s some examples where you could deliver focused training. Every business is different, so meet with them, learn what they do and how they work to identify the most significant risks you want to target with training.

🤝 Marketing 🤝

  • Risks of providing 3rd party access to customer data and marketing lists
  • Data privacy regulations and how they apply to day-to-day work (GDPR, CCPA, etc)

💰 Finance 💰

  • Importance of validating unusual transfers by calling the person back at a known number
  • Why the CEO doesn’t actually need them to buy gift cards for her
  • “Employees” asking for direct deposit account changes

🧑🏻‍🤝‍🧑🏾 Human Resources 🧑🏾‍🤝‍🧑🏻

  • Social engineering attacks to gain access to employee data
  • Hiring scams where different people interview than show up for the role
  • The importance off using only approved software for sensitive data

🔨 Engineering 🔨

  • Secure coding practices
  • Don’t forget, backenders have different concerns than frontenders!
  • Sensitive data handling and storage best practices
  • Proper authorization and authentication techniques
  • Threat modeling practices

❓ Customer Support ❓

  • Insecure remote access tools and practices
  • Social engineering attacks targeted to gain elevated access