It’s Olympic Games time again, and we could all do with a great distraction from the past 18 months! Unfortunately, a distracted audience is exactly what many cyber-attackers are hoping for, too.
The evidence is huge that the Olympics is a prime time for attackers to launch phishing scams that leverage the hype and the buzz around the games. Back in 2016, ahead of the Rio Olympics, Kaspersky research uncovered a huge number of phishing scams that offered victims fake tickets to the games, false lottery wins for free hotel stays and flights to the event, and even connected items such as new television sets to watch the Olympics in wide-screen, HD delight. In the month of the 2018 World Cup, phishing attacks rose by 67%. Bringing us up to date, this year the Identity Theft Resource Center has put out an official warning against a rise in scams in the lead up to the Tokyo Games, including fake ticket sales, fake travel offers, counterfeit memorabilia, and more.
Tokyo’s 2020 Olympic Games are therefore the perfect opportunity to share some of my own personal insights about real-world fitness and training, and transfer the messages onto Security Awareness Training.
My First Marathon
As a young basketball player, long-distance running was not my favorite, to say the least. Even the pre-season challenge of 2km got me groaning “Just give me the ball!”.
Fast-forward to August 2006, and I’m standing in Budapest, Hungary on the starting line for my first marathon. 42km! Teenage me never would have believed it. Getting me to that place, and meeting my ongoing goals for long-distance running look like a lot of hard work and perseverance. It also involved four major principles that I believe are just as essential for Security Training as they are for Marathon Training. Let’s break them down.
4 Essential Principles for Security and Marathon Training
#1. Goal Setting
Setting effective goals is an essential part of any training, whether it’s for a simple basketball game, a Marathon, or the Olympics! It’s not enough to simply aim to “do your best”. I knew that I wasn’t looking to break any records, and I also knew that I didn’t only have one shot at this Marathon. This would be my first time, and I needed to set reasonable goals that were achievable.
To do this, I turned to my coach. He had a rich experience working with trainees at my level, of my age, height, and weight, and he understood my level of motivation. With his help, I made two goals. 1. Get to the finish line! 2. Make that happen in under 4 hours.
Security Awareness Training is no different. There’s no point making a goal to eliminate all high-risk employees for example, and you don’t have just one chance to make an impact. A valuable partner can help you to set reasonable goals that you can present to your board to get buy-in for a Security Awareness Program.
#2. Continuous Training
Tears in my eyes and my heartbeat through the roof – I crossed the finish line of my first Marathon in Budapest. Mission accomplished! I was so delighted to have reached this goal. It was hard to put into words how excited I felt to have accomplished something that just months earlier had seemed so unachievable.
And my time? 4 hours…. 7 minutes! So close! Luckily, I had a continuous training program established, and after a week – I was back to it. I still remember how my coach laughed when I told him I could only practice one day per week. He said that the only way I could achieve my goals was to set a daily practice with zero excuses. It sounded like too much to ask, and yet somehow getting up every morning, come rain or snow at 5.20 am soon became a habit.
The same exact psychology is important for Security Awareness Training. There is no point in setting a security awareness training day, an annual workshop, or a periodic educational newsletter for your staff. Employees need continuous training, with 100% of staff trained every single month, as part of their daily work. It has to become a habit, as much a part of their routine as their daily exercise – or it just won’t result in behavioral change.
#3. Variety of Training Conditions
Another coach I’d had in the past – this time in my Basketball days – comes to mind. During the whole season, he had us focus on the final challenge, the last 30 seconds of the final game of the finals, in four different varied conditions. By the time the real game came along – we were ready for anything.
When I competed in my next Marathon, I took the same mindset with me. I was going to cross that finish line in under 4 hours! Towards the 37km point, a bridge ahead felt like an impossible task, but I knew what to do thanks to the variety of methods I had been trained with.
The lesson for Security Awareness Training here is clear – a one size fits all training methodology helps no one. A variety of conditions is an essential part of learning a new skill.
#4. Data-driven Techniques
While training, the only way to make sure that I was going in the right direction was to make sure that I was measuring as much data as possible. I had been tracking my pace, my time, and my heartbeat with quantitative data. I had used qualitative analysis from my coach to monitor my weaknesses and train to improve them. I’d even tracked my shoes to see when to switch to a new pair!
From the data we were tracking, we had added exercises to improve speed and technique, and as we’d continued to practice, 10, 15, 24, up to 100km per week, I could see the improvements I was making. I knew I could meet my goal. Thanks to the training, I crossed the finish line at 3 hours, 57 minutes! I had done it! I was as happy as if I was holding that Olympic gold medal!
Measuring the right data is just as important as setting the right goals and continually training in a variety of ways to make them happen. Security Awareness Training it’s about moving away from looking at click rate, (which doesn’t even tell you whether employees have seen the training content) and towards more granular metrics such as MTBF (Mean time between failures) or the number of high-risk employees over time. This data will tell you if you’re moving towards your goals.
Making Training Best-practices Work for your Organization
These 4 principles are the grounds of any modern training program. That’s why they work equally well for Marathon training (and Olympic training!) as they do for Cybersecurity Awareness Training!
If you’re ready to discuss adding these best practices to your own employee training strategy – schedule a demo.