Last week’s Wombat Wisdom Conference featured three days packed with presentations and panel discussions by Wombat staff and customers, as well as keynotes, updates on our products, and opportunities for attendees to network and learn from peers. Topics ranged from analyses of the current threat landscape to upcoming product features to practical advice on getting the most from phishing assessments and security awareness training.
While it’s not easy to distill three days of insightful conversations into a single blog post, here are some key themes that emerged throughout the security awareness conference.
A People-Centric Approach to Cybersecurity
Proofpoint’s acquisition of Wombat — which officially closed on March 1, 2018 — influenced multiple presentations at this year’s event, as speakers explained how the two companies are working together to deliver products and solutions that support a people-centric approach to cybersecurity.
“The easiest way to attack someone is through a socially engineered attack,” Proofpoint CEO Gary Steele said during his opening keynote. “That’s much simpler than writing some sophisticated malware to take advantage of a vulnerability in someone’s infrastructure,” Steele said, noting that cybercriminals’ increasing focus on individuals has made security awareness a paramount pursuit.
As part of a people-centric approach, Steele said, organizations need to identify their “Very Attacked People” (VAPs) and understand why they are so attractive to cybercriminals. People may be highly targeted due to their roles, the people they interact with, and their access to information — factors that vary across industries and organizations.
Wombat General Manager Joe Ferrara also emphasized the theme of people-centric security, noting that “identifying the people, training the people, and then enabling them to be able to report or get involved in the security infrastructure — this is really core to what we’re doing as we go forward.” He advised that a people-centric approach starts with identifying the risk — the VAPs — then changing risky behavior through “delivering the right education, at the right time.”
“In the end,” Ferrara said, “what we’re trying to do is turn risky users into people who are enabled and ready to identify and avoid cybersecurity attacks.”
The vital role of end users in cybersecurity was also a common thread throughout several customer presentations at the conference, as well as the closing keynote by our Security Advisor, Alan Levine. In his presentation, “#CISOWisdom, Nation-State Attacks, and Why You Need to Believe in Your End Users,” Levine — a former Fortune 500 CISO who now holds a variety of leadership and education roles in the cybersecurity community — talked about his long journey from security awareness skeptic to believer.
“Cyber awareness, for me, was a latecomer to my arsenal,” Levine said. “I was foolish for not addressing it sooner; I was a hero for having finally addressed it.” He encouraged all attendees to shift their mindset if they haven’t yet, stressing that all infosec professionals regard end users as “our very last line of defense.”
Training Users to Report Phish — Not Just to Avoid Clicks
As several presenters observed, it’s not enough to train your end users to avoid clicking on a phish — they should also be empowered to report suspicious messages. When users have been effectively trained to identify and report suspicious emails, using tools like PhishAlarm®, they become a valuable last line of defense for your organization.
Wombat’s Brand Communications Manager, Gretel Egan, noted during the pre-conference workshop that “if users start to report more (and more thoughtfully), it’s an indication that they are taking a closer look at the email they’re receiving.” A trend like this, she added, is an indication that security awareness efforts are making a measurable impact.
When users report suspicious emails, they’re avoiding attacks that slip past perimeter defenses while also feeding threat intelligence back to your security team. There is a balancing act to maintain when it comes to reporting phish, however. As Steele cautioned in his keynote, “You want a user community that is actively reporting things that look suspicious [but] you don’t want to overwhelm your backend security team.”
That balancing act has led to one of the first Wombat-Proofpoint integrations, Closed-Loop Email Analysis and Response (CLEAR). This solution combines several technologies to streamline end-user email reporting, analysis, and remediation. CLEAR automatically analyzes suspicious emails reported by users, reducing an organization’s typical threat triage time from days to minutes without requiring additional work from human analysts.
When discussing CLEAR and other integrations with attendees, Ferrara spoke about the combination of threat intelligence and user education as “natural evolutions” in the security landscape. “What we’re after is linking user activity — actions and decisions that are being picked up by infrastructure — and coupling that with education. Because that’s where you can really start to change the user behavior.”
Ongoing Innovation in Wombat’s Products
CLEAR is just one example of the new products and features discussed at the conference. “One of the critical investments we’re making is in innovation and R&D. We are very confident about what we can deliver collectively between Proofpoint and Wombat,” said Steele. He also acknowledged a need to continue investments in Wombat’s core products, as customers have long valued our innovation and industry-leading security awareness training methodology.
During the Product Update and Roadmap presentation, the Wombat Product Management team provided insights into the business drivers that impact product direction and strategy, as well as an update on how we use ideas submitted by customers in the Wombat Wisdom Community to track and determine interest in new requested features.
The team highlighted the following product innovations:
- Enhanced training modules with customization capabilities
- The Attack Spotlight awareness tools, which are free resources developed based on Proofpoint threat intelligence
- Advances in business analytics
- Improvements in user management
- Increased accuracy in phishing simulations
Also explored was how the new Proofpoint integrations will deliver value for joint customers — who will benefit from the automation capabilities of innovations like the CLEAR solution — as well as for standalone Wombat customers — who will find value in advancements like the addition of real-world phishing templates to the ThreatSim® library, as well as our free Attack Spotlight content.
Incentivizing Your Security Awareness Program
There’s been plenty of debate over whether to use positive or negative reinforcement to drive participation in security awareness training — and to keep people from clicking on a phish. Customer presentations at this year’s conference addressed the effectiveness of both the carrot and the stick.
According to Joe Krock, Humana’s Cyber Training and Awareness Leader, “Recognition and rewards are the way to drive behavior and shape behavior.” His program uses positive reinforcement to drive participation in cybersecurity activities, encouraging users to earn badges, win prizes, and earn incentives through the company’s larger wellbeing program. “I really strongly encourage it,” Krock said. “Incentives have been instrumental to our ability to get people’s attention.”
Other customers don’t hesitate to escalate with repeat offenders and users who do not complete their training. Dacia Gilkey, Information Security Officer for the Georgia Technology Authority, favors moderate enforcement techniques. In her program, users who do not complete their training by the due date are notified and given another 24 hours to finish. If that doesn’t work, the employee temporarily loses email access. Gilkey said this approach gets about 95% completion with training assignments, and the rest is largely due to “good-faith” oversight. Some presenters favored even stricter measures, but most acknowledged that enforcement can be a slippery slope and that HR teams should be involved when developing a consequence model of any kind.
Understanding Your Company Culture — and Building Relationships
Again and again, presenters emphasized the importance of understanding company culture when developing a security awareness program.
Assessing company culture and context was a particular emphasis in the pre-conference workshop, “Implementing an Effective Security Awareness Training Program: Leaping Tall Buildings in Many Small Bounds.” This well-attended event featured collaborative activities that challenged participants to identify program goals, pinpoint potential obstacles, and identify key audiences (i.e., stakeholders). These activities can help with creating a mission statement that aligns security awareness with a larger company culture.
Part of understanding company culture is knowing what your security awareness program can include — and what it can’t. In the healthcare field, for example, sending phishing simulations to employees on the front lines of patient care “is very sensitive,” one presenter cautioned. While assigning security awareness training may be appropriate for a healthcare organization’s admin, IT, and other departments, the company culture may not support training for clinical teams — at least not initially. (As was noted in the workshop, something that is off the table at one point could be on the table later. And you should always be an advocate for training users who have access to critical systems and data — which includes clinical teams.)
Understanding your culture can also mean working around the challenges of a decentralized setting, like that experienced by Teresa Banks, Manager of Information Security and Compliance Programs for the University of Arizona’s Information Security Office. For her, that means giving presentations to individual departments, and showing that she respects their particular areas of research as well as the mission of the university. “There’s nothing more important on a university campus than having relationships in every department,” she said.
On one level, aligning your program with company culture helps to reduce obstacles and gain buy-in from leadership. But it also opens doors to collaboration with other groups across your organization.
Looking Forward
As this year’s conference emphasized, the threat landscape is rapidly changing, and Wombat’s solutions are constantly evolving to help organizations keep pace with the attackers. With that said, it’s good to acknowledge that our essential outlook, goals, and commitments remain.
As Ferrara said, “Our goal has always been — whether it’s Wombat as a standalone or Wombat as a part of Proofpoint — to develop the most effective security education programs and enable you to roll out these programs easily and get the best results. That’s always been our goal, and it continues to be the goal today.”
We’ve shared the slides and videos from almost every presentation in the 2018 Wombat Wisdom Conference group in Community, and will be adding more content as it becomes available. (If you’re not already a member of this group, simply request access.)
Visit the Wombat Wisdom Community by clicking “Community” in the top right-hand corner of the Security Education Platform; the 2018 Conference group is featured on the homepage.