How to add email security awareness training to your service portfolio

Solution providers who provide security software, such as email filters, Web filters or antivirus products, are primed to offer an additional, revenue-generating service: email security awareness training.

If your customer is reluctant… send a series of attacks to a cross-section of employees.  These attacks will be harmless, but the resulting replies will demonstrate why training is an absolute necessity.

There’s an effective strategy you can employ to show customers how much they need training for their employees, one that will help you get the employees engaged early on. What is it, and just how can it help your security solution provider business? That’s what we’ll discuss in this tip.

Employee security awareness training

In an era when employees at all levels of the customer’s organization have email and Web access, every employee should be trained to identify attack techniques and report suspicious emails. Many email users can easily detect the clumsy attacks seen in the past, but spam messages containing obvious misspellings or offers of millions of dollars have been replaced by more sophisticated attempts. Spear phishing (email appearing to come from someone known to the recipient) is particularly difficult to detect.

If your customer is reluctant to believe its employees need security training, offer to create an email security awareness test. Send a series of simulated attacks to a cross-section of employees.  These attacks will be harmless, but the resulting replies will demonstrate why training is a necessity and will overcome the customer’s reluctance.

Start your training with a quiz
Kick off your course with a quiz to determine how well the participants understand email security risks. The quiz should not take long -- just 20 to 30 minutes. An effective approach is to give a quiz with a series of basic questions such as, “Is it safe to trust the ‘From’ address in an email?” Your quiz should contain a number of spam and phishing emails of varying levels of sophistication that address each of the typical attack types. Also mix in a selection of legitimate emails. Ask participants to indicate which of these sample emails are attacks.

Numerous examples of both types (legitimate and malicious) of quiz questions can be found on the Web, and The Federal Trade Commission has developed a set of quizzes that can also be found online. You can draw upon these examples or create your own quiz questions. Carnegie Mellon University’s Cylab has also created a set of games that teach players how to avoid spam and phishing attacks. These games are available commercially through Wombat Security Technologies Inc.

After participants have completed the quiz, bring them together to discuss each of the attack techniques used in the quiz questions. It’s best to keep class size fairly small so to facilitate discussions. Explain how the malicious attacks could have been spotted.

Examples of spear phishing are difficult to include in a quiz because their success depends on appearing to come from an associate. Add additional emphasis to the dangers of this technique when training government, defense contractor or financial services’ employees.  Emphasize how attackers can get access to information about an organization and the email addresses of group members via social media sites.

Email and Web security course content
Your email security awareness training course should explain how employees should work with the email filter product used at the customer site. For example, many email filters require each end user to “train” the filter by periodically checking filtered email and indicating any legitimate email that was erroneously identified as spam. End users can also add senders and domain names to the “blocked” or “allowed” list.

In the case of customer sites with Web filters, teach employees whether the Web filter is configured to block certain sites or to allow access, but monitor employee access. Also explain the customer’s policies concerning topics such as access to social media sites and associated security risks.

A single email security awareness training course will probably not be appropriate for employees of varying levels of email experience. Using a building-block approach, create a set of course modules that begin with the simplest types of attack and also create a module of more sophisticated material for experienced users. Experienced users will not need to use the basic modules.  However, all employees, regardless of their technical expertise, must understand how to interact with the filter products installed on the network. 

Finally, arrange for periodic follow-up customer training, both to train new employees and to bring others up to date on the latest attack techniques. If possible, also arrange to periodically send harmless but realistic attack attempts to your customer’s employees. Use the results to continue to emphasize to your customer the need for ongoing education.

About the author:
David B. Jacobs of The Jacobs Group has more than 20 years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software start-ups.

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.