Managed Security Awareness Training

Fully Managed Security Awareness Training & Threat Simulation (mSAT). Need time to concentrate on your business/role? mSAT is designed for you…

Behavior change should be the primary goal of your security awareness training program. You want users to break bad habits and learn new skills (and how to apply them) in general. But you also want to address risky behaviors that are most likely to impact your organization’s mission. It’s why education activities logically follow the vulnerability assessments outlined in the “Identify Risk” section. Awareness and training are two different things: knowing that a threat exists is not the same as knowing how to detect and deal with the threat when it presents itself. Education leads to behavior change—and a stronger last line of defense. Spambrella-managed training services will help your organization reduce it’s exposure to user-driven cybersecurity threats.

To effectively and efficiently change employee behaviors, our mSAT allows you to deliver a combination of:

• Broad, organization-wide training
• Targeted, threat-based training

Delivery: How we run your cybersecurity education program.

So you understand the need for educating the workforce, understand the threats and the social engineering tactics imposters take to leverage your employees, yet you do not have the time or personnel to manage a security awareness training platform… Spambrella’s mSAT is the solution. Join us for a demonstration, understand the service we provide, and how we can schedule a blend of both security and compliance or insider threat training programs. Our team will then work with you to design a user education schedule that delivers a steady flow of email threats combining phishing, attachments and other lures to see how end-users interact. Over time we will be able to see user education works and your workforce, employees, and brand are safer than prior to your investment in mSAT.

The primary focus is around baseline measurements, fundamental cybersecurity topics, and key learning objectives for users who have had limited or infrequent education about best practices and essential security behaviors.

Identify Risk: Threat Phishing Simulations

Email remains one of attackers’ favorite tools for targeting users and infiltrating organizations. Threat Phishing Simulations allow us to gauge your employees’ vulnerability to three key threats:

• Embedded links
• Malicious attachments
• Requests for sensitive data

The Threat Simulation library includes thousands of customizable templates across more than 35 languages. We can:

• Test employee responses to a variety of lures, including industry-specific communications and perennial threats (like tax and shipping scams).
• We can use Dynamic Threat Simulation phishing templates to send simulated attacks that reflect current lures spotted in the wild by Proofpoint threat intelligence.
• We’ll present a “Teachable Moment” to anyone who falls for one of our tests. These brief, action-oriented landing pages can be delivered to users who engage with simulated phishing attacks. This allows us to provide context for users and raise awareness of anti-phishing behaviors.
• Should users fail a targeted threat simulation test, we’ll automatically enroll the users to follow-up training. We use this feature ‘generally’ once a quarter to deliver appropriate education modules to employees who perform poorly on phishing simulations. (See our recommendations for Auto-Enrollment in the suggested schedule by contacting our sales team).

How we use Phishing Simulations.

Before we formally launch your phishing assessments, we’ll send a test simulation to a small group of “in-the-know” members of your organization. This will help you identify any potential technical hurdles before Spambrella begin sending a broader test.

When you’re ready to launch, we recommend sending a “blind” phishing simulation to establish a baseline vulnerability measurement. What we mean by “blind” is that no “obvious” Teachable Moment or training assignment is attached to the phishing simulation, so the user doesn’t know they’ve been sent a test. Instead, opt for an “Error Message” Teachable Moment, which resolves to a browser error window. Blind phishing tests help to eliminate crosstalk (or the so-called “prairie dog effect”) among users, giving us the best opportunity for a reliable measurement.

Your baseline test should be of moderate difficulty; essentially, we’ll want to send a simulated attack that you believe a trained user would recognize to be dangerous. Following that, we recommend that we:

• Run phishing simulations every four to six weeks, and mix it up: use different threats, themes, and lures. Our team will collaborate with your email and messaging teams so you can identify templates that correspond to the threats your organization is facing.
• We’ll start with relatively “easy” tests and progress to more difficult tests as your users’ abilities improve. Our testing experts will leverage end user ‘average failure rates’ (AFRs), within the ThreatSim interface to enable us to choose/amend the schedule tests at the right time.
• We suggest Auto-Enrollment on three or four tests a year. We’ll select training that aligns with the test we sent (for example, if we sent a link-based simulated attack, we’ll assign our ‘Avoiding Dangerous Links’ module).
• For best results, we will require users to complete follow-up training assignments within one week. This ensures that users will connect the dots between the simulated attack, the mistake they made, and the actions that will help them avoid real phishing messages.
• Suggestion: Let end users know that they may see brands from well-known companies in our phishing exercises in order to effectively simulate real-world attacks. Instruct users to report suspicious messages to your IT security team rather than reaching out directly to external companies and brand owners.

Change Behavior: End-User Training

Don’t mistake it: behavior change should be the primary goal for your security awareness training program. You want users to break bad habits and learn new skills (and how to apply them) in general. But you also want to address risky behaviors that are most likely to impact your organization’s mission. It’s why education activities logically follow the vulnerability assessments outlined in the “Identify Risk” section. Awareness and training are two different things: knowing that a threat exists is not the same as knowing how to detect and deal with the threat when it presents itself. Education leads to behavior change—and a stronger last line of defense. Spambrella managed training services will help your organization reduce its exposure to user-driven cybersecurity threats. To effectively and efficiently change employee behaviors, our mSAT allows you to deliver a combination of:

• Broad, organization-wide training
• Targeted, threat-based training

Broad, Organization-Wide Training

The Spambrella training approach is rooted in learning science, applying key principles that facilitate adult learning and knowledge retention. Our tools can help you build a strong cybersecurity foundation across your organization—and build on that foundation over time. We offer localized content in more than 35 languages and help you deliver training across a range of cybersecurity topics. In the suggested schedule later in this document, you will see recommended organization-wide training assignments for the following courses:

• Security Essentials
• Email Security
• Introduction to Phishing
• Mobile Device Security
• Password Protection Series (4 modules)–Beyond Passwords
• Multi-Factor Authentication (MFA)
• Password Management
• Password Policy
• GDPR Global Training
• Insider Threat
• Safe Social Networking
• Safer Web Browsing
• Social Engineering

Threat-Based Training

With the changing threat landscape—and the variety of ways threat actors target individual organizations—it’s critical to keep users in tune with emerging threats. The vulnerabilities you identify during phishing simulations and the review of threat reports should guide your threat-based training choices. In our suggested program schedule later in this document, you will see our preferred delivery methods using the Auto-Enrollment feature within ThreatSim to automatically assign the following mini-modules from our “Securing Your Email – Fundamental” series to individuals who fall for email-based phishing tests:

• Avoiding Dangerous Attachments
• Avoiding Dangerous Links
• Data Entry Phishing

Points to Keep in Mind

• Though we have been prescriptive in our delivery with a planned schedule, your assessments and your organization’s experiences and resources should guide your training choices and program cadence. For example, if you uncover a widespread cybersecurity issue within your organization, we should prioritize organization-wide training about that issue over the training assignments we’ve pre-scheduled.
• Spambrella and your dedicated mSAT expert will provide an adjustable, color-coded schedule that coincides with the above.
• Please contact sales@spambrella.com for more details or to arrange a live discussion and demo on mSAT services.