Solved

What are some good questions to ask a service provider about Security Awareness Training that they have to offer?

Posted on 2014-07-30
7
355 Views
Last Modified: 2014-08-15
We are looking at a provider called "Knowbe4". I want to come up with some questions about there services to dig deeper into what they can provide as far as security awareness. Before I have a meeting/call with them, I want to know what questions should I be asking them to make sure I get what I need out of there services? Please list a few high level questions. Thank you.
0
Comment
Question by:freebeee01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 20

Expert Comment

by:netcmh
ID: 40229857
I would like to know how the training provider would push for changing the status quo. What means would they have as their primary channel for awareness training. I mean videos or Powerpoint slides are good, but how can we make it better? Making the training fun and interactive would help drive the points home.

Awareness programs and security trainings are 2 separate things. How would they be able to influence the behavior change in your users? All of your users, don't skip on the per-diems or contract emps. Awareness should not be just a “check the box" exercise.
0
 
LVL 20

Expert Comment

by:netcmh
ID: 40229861
Also, how would they provide measurement? How would the awareness be measured?
0
 
LVL 5

Accepted Solution

by:
Sean Jackson earned 500 total points
ID: 40230092
I would want to see some metrics from past engagements they've done.  Those could be redacted to protect the innocent, of course.

I would ask if they distribute materials among the staff, or is it all in a dark conference room with a powerpoint presentation.  Do they do it in smaller groups, one on one, etc?

I would ask how often they update their training materials.  Are they aware of the latest threats and vulnerabilities?  

Do their trainers hold any security certifications?

Do the OWNERS have any security certifications?  This would be a very good indicator on if the company is truly focused on security awareness or just making some money.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:freebeee01
ID: 40230202
Those are some good questions. I need a few more. Something along the lines of how should I execute or implement this in my environment, so forth and so on.
0
 
LVL 5

Expert Comment

by:Sean Jackson
ID: 40230249
I would anticipate they would address those questions in your initial conversation.

Meaning, they're going to bring it up, not you.
0
 

Author Comment

by:freebeee01
ID: 40231010
This is SAAS (100% Cloud base training). I will be the facilitator/trainer for my company responsible for registering users,  reminding users to sign up for the training and do the exercise. The service will also provide templates that I can send to my users as an email to test them after they receive the training. I have a few questions for those that have incorporated this in there place of work.

1. What are some ideas to make training fun and interactive?

2. What are some corrective options/actions to deal with my employees who fail the PST (Phishing Security Test) after they have been given the training?

3.  What is the best approach to incorporate security awareness for new employees during their orientation when they hop on board? Maybe train HR personal so they will know how to provide a brief overview to the new employees in a form of a slide show, video, etc? I dont know, what's the best approach? Does anyone have any experience with this?

4, Also thinking about placing posters in certain areas of our building to encourage people to take the training, are there any posters online so that I can print it out?

5. How often should do the PST with my users, and why?

Anything else creative that I can do, let me know.
0
 
LVL 5

Assisted Solution

by:Sean Jackson
Sean Jackson earned 500 total points
ID: 40232225
I would not make it optional to attend the training, and for that, you need support from above.  Make the training available to them at times that are more convenient if you can't do it all at once.  If it's optional, no one is going to attend.

A good way to get this buy off would be to run a Phishing test (authorized by whomever has authority, of course) before the training, and show the results to management.  Show them just how bad it is, and how the training will directly address that vulnerability.

Training being fun and interactive? Show some examples?  I always like to use the balloon / yelling overwhelming scene from Sneakers to show how hackers can distract the victim and get them to follow instructions.

I have 'gamified' security awareness by creating a quiz system when users logged into the corporate admin area, they'd get one question, they had the option to postpone the question (if they were putting out some kind of fire), and if they got it right, they got a clip from Monty Python or something.  If they got it wrong, they got the troll being flung into the pit from The Holy Grail.  On the backend, we were able to see who was answering what questions wrong, what questions always had wrong answers (need more training), who was getting lots of questions wrong (need more individual training), and who was always getting things right.  Those in the last group got recognized and occasionally gift carded or lunch bought.

I would test Phishing every six months or so, assuming an external party hasn't tested it already for you (and you knew about it).

I know of no posters to help you.

If someone fails the testing, don't make them feel stupid, bad, or they should be in trouble.  Security isn't supposed to do any of those things.  Help them learn how to be more careful, more cautious about what they see in email.  It's not only going to help the company, it will help them personally to think a little more carefully about their interactions.  That means it can help them at home too.

I'm gladdened to see you're taking on this endeavor.  It can be tough.  Good job.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question