Solved

What are some good questions to ask a service provider about Security Awareness Training that they have to offer?

Posted on 2014-07-30
7
348 Views
Last Modified: 2014-08-15
We are looking at a provider called "Knowbe4". I want to come up with some questions about there services to dig deeper into what they can provide as far as security awareness. Before I have a meeting/call with them, I want to know what questions should I be asking them to make sure I get what I need out of there services? Please list a few high level questions. Thank you.
0
Comment
Question by:freebeee01
  • 3
  • 2
  • 2
7 Comments
 
LVL 20

Expert Comment

by:netcmh
ID: 40229857
I would like to know how the training provider would push for changing the status quo. What means would they have as their primary channel for awareness training. I mean videos or Powerpoint slides are good, but how can we make it better? Making the training fun and interactive would help drive the points home.

Awareness programs and security trainings are 2 separate things. How would they be able to influence the behavior change in your users? All of your users, don't skip on the per-diems or contract emps. Awareness should not be just a “check the box" exercise.
0
 
LVL 20

Expert Comment

by:netcmh
ID: 40229861
Also, how would they provide measurement? How would the awareness be measured?
0
 
LVL 5

Accepted Solution

by:
Sean Jackson earned 500 total points
ID: 40230092
I would want to see some metrics from past engagements they've done.  Those could be redacted to protect the innocent, of course.

I would ask if they distribute materials among the staff, or is it all in a dark conference room with a powerpoint presentation.  Do they do it in smaller groups, one on one, etc?

I would ask how often they update their training materials.  Are they aware of the latest threats and vulnerabilities?  

Do their trainers hold any security certifications?

Do the OWNERS have any security certifications?  This would be a very good indicator on if the company is truly focused on security awareness or just making some money.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:freebeee01
ID: 40230202
Those are some good questions. I need a few more. Something along the lines of how should I execute or implement this in my environment, so forth and so on.
0
 
LVL 5

Expert Comment

by:Sean Jackson
ID: 40230249
I would anticipate they would address those questions in your initial conversation.

Meaning, they're going to bring it up, not you.
0
 

Author Comment

by:freebeee01
ID: 40231010
This is SAAS (100% Cloud base training). I will be the facilitator/trainer for my company responsible for registering users,  reminding users to sign up for the training and do the exercise. The service will also provide templates that I can send to my users as an email to test them after they receive the training. I have a few questions for those that have incorporated this in there place of work.

1. What are some ideas to make training fun and interactive?

2. What are some corrective options/actions to deal with my employees who fail the PST (Phishing Security Test) after they have been given the training?

3.  What is the best approach to incorporate security awareness for new employees during their orientation when they hop on board? Maybe train HR personal so they will know how to provide a brief overview to the new employees in a form of a slide show, video, etc? I dont know, what's the best approach? Does anyone have any experience with this?

4, Also thinking about placing posters in certain areas of our building to encourage people to take the training, are there any posters online so that I can print it out?

5. How often should do the PST with my users, and why?

Anything else creative that I can do, let me know.
0
 
LVL 5

Assisted Solution

by:Sean Jackson
Sean Jackson earned 500 total points
ID: 40232225
I would not make it optional to attend the training, and for that, you need support from above.  Make the training available to them at times that are more convenient if you can't do it all at once.  If it's optional, no one is going to attend.

A good way to get this buy off would be to run a Phishing test (authorized by whomever has authority, of course) before the training, and show the results to management.  Show them just how bad it is, and how the training will directly address that vulnerability.

Training being fun and interactive? Show some examples?  I always like to use the balloon / yelling overwhelming scene from Sneakers to show how hackers can distract the victim and get them to follow instructions.

I have 'gamified' security awareness by creating a quiz system when users logged into the corporate admin area, they'd get one question, they had the option to postpone the question (if they were putting out some kind of fire), and if they got it right, they got a clip from Monty Python or something.  If they got it wrong, they got the troll being flung into the pit from The Holy Grail.  On the backend, we were able to see who was answering what questions wrong, what questions always had wrong answers (need more training), who was getting lots of questions wrong (need more individual training), and who was always getting things right.  Those in the last group got recognized and occasionally gift carded or lunch bought.

I would test Phishing every six months or so, assuming an external party hasn't tested it already for you (and you knew about it).

I know of no posters to help you.

If someone fails the testing, don't make them feel stupid, bad, or they should be in trouble.  Security isn't supposed to do any of those things.  Help them learn how to be more careful, more cautious about what they see in email.  It's not only going to help the company, it will help them personally to think a little more carefully about their interactions.  That means it can help them at home too.

I'm gladdened to see you're taking on this endeavor.  It can be tough.  Good job.
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

It’s an age old story, whether you’re looking for full-time employment or contract work. In order to land a job, you must have experience.
It can often be challenging to stay relevant in the rapidly evolving world of technology. This can make recruiting talent difficult for companies of all sizes.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now