An important part of any information security program is having empowered and aware users. They are integral to any organizations defense against Bad Things ™. Users who can recognize something being “not right” and then know what to do when their spider sense goes off. Folks who think about the communications they receive, and ask questions. One way to start engendering that in an end user population is security awareness training. Its certainly a requirements fro most compliance programs, and it makes sense even if you have no particular standard against which you are being measured.
Its just good hygiene. If the training is decent, they can even apply the lessons learned to their home lives, and that just makes everything a little bit better. Far from a panacea, but an important cog in a larger Infosec program’s machine.
Two components to a training program of note: Content and delivery. Content is relatively easy, plenty of resources on the interwebs. Lots of good, frequently free, material. But once you have the material, you need to get it in front of the end users. And most compliance programs require that you track that activity, and record it for posterity (or the next audit). That usually costs money.
Some people roll their own, or have in house Learning Management Systems that they upload the content to. SCORM is a popular format, and companies LMS may be SCORM compliant, or they can use the SCORM cloud service. Those platforms can get a little pricey. We’ve used SCORM cloud with Cofense SCORM compliant training in the past with some success. Other vendors provide an LMS platform with canned training, SANS.org has an offering which meets the need, but also costs money.
That time when we got LinkedIn spam…
Earlier in the year, we got a LinkedIn request from a local company called Wizer, touting an LMS and basic Security Awareness Training for free. Ironically, we were intrigued, LinkedIn spam to advertise a Security Awareness platform. Our LMS subscription was up for renewal, and after some back and forth with their rep, we decided to give it a try. It makes a good story, that time we got what looked like spam and it turned out to be useful…
The free version is just that, free. For content, you get several training modules: A basic Security Awareness, a “Government” focused training, and a “Back to School” module.
It provides a level of tracking and reporting as employees complete the assigned training.
For a nominal fee per user ($12 per year) you can expand your training catalog with canned training in:
- New Employee Onboarding
- California Privacy
- Insdier Threat
- Excutive Training
The paid version also gets access to the phishing simulator, a phishing email game for employees to try their hand at identifying fraudulent emails, and access to create your own training based on uploaded videos and admin-created quizzes on that content. Lastly, it also allows your administrators to upload PDF policy documents for end users to read and acknowledge.
The policy module is pretty straightforward, you can upload PDF’s of your documents, or provide a link to them, and the system records their acknowledgement. Its tied to their logins, so if you have good access control on employee email, its almost as good as a signature (and usually good enough for most compliance exercises). Its nice to have all the things an employee might need in one place.
In addtion to the Phishing training module, there is a phishing email simulator, which sends phishing emails to your employees and measures their response. Did they open the email? Did they delete it? Did they report it?
The phishing simulator is still marked in beta, but appears similar to the likes of Cofense’s PhishMe, with easy to read reporting and a selection of realistic looking templates. It does require similar set up, white listing their email sender to avoid the phishing filter integrated into the likes to GMail, but the set up is straightforward for email admins.
What we found more interesting and potentially more useful as a training tool, was the Phishing “Game” you can deploy to your end users through the portal.
The game shows a selection of phishing emails, and asks the user to determine if the email is legitimate or an attempt to phish them.
When the user makes the wrong determination, it then walks through the anatomy of the email to show them what to look for.
Its a clever way to demonstrate, and the Wizer folks say its different examples every month. Used a standalone, or as a compliment to the training module or the “real” phishing campaign, its a clever way to demonstrate, in more than just slides, what these emails can look like and how to spot them. The examples are pretty good, and its a quick “game” to play, with a tangible result for the end user.
The employee app is very mobile friendly, it remembers your progress for the longer training, and the training modules are subtitled, so they can be done with the sound off. Very user friendly. The trainings take ~30 minutes, and each segment is a minute or two long, for those short attention spans, or to watch part of it between other activities a busy employee might be engaged in.
What did we really think?
I only have two gripes. The employee app should have an option for small icons, it is mobile friendly, but on the desktop I have to scroll around to get to stuff that I might expect to see in the same view. The admin training dashboard has the same problem. I’d like small icons or a list as an option.
The second gripe is around reporting, I’d like the ability to have a comprehensive, company wide report, across any or all of the modules. Currently, you have to drill into each module, then into each department to see who has completed that training. That gets cumbersome if you have multiple departments taking different training modules. The support folks tell me that enhancement is coming soon.
For a small business with no LMS and no budget for one, and modest compliance requirements. The employees don’t hate it, the animations are clever and don;t distract from the message, its easy to use and its feature rich.
Wizer has done a good job.