Short Guide for setting up a Cyber Security Awareness Program
(Version. 1.1.12) Make your staff better and safer: A best practice guide for a successful awareness program. The LUCY SAPF guide will help you with the implementation of the pre-project in your organization.
Table of contents:
Corporate security cannot be guaranteed without IT security systems and hardware. The systems are getting better and better, so it is not surprising that 97% of all cyber attacks focus on the human factor and not with the machine. And 91% of successful attacks started with a so-called phishing attack. For this reason, employee sensitization and IT-security awareness programs are becoming increasingly important.
Setting up Security Awareness Programs requires thinking like a hacker sometimes. With the Cyber Security Awareness Programme Framework (SAPF), LUCY offers a modular guideline for building comprehensive cybercrime sensitization initiatives. The SAPF guide allows an efficient implementation of a pre-project for the setup of an awareness program.
Its implementation stages such as ‘SCOPE’, ‘PLAN’, ‘RUN’ and ‘EVOLVE’ allows to cover all levels of the organization: normative, strategic and operational. This ensures the effectiveness of preventive measures in the cyber risk area effectively and sustainably.
Scoping is about understanding the business context and making strategic decisions, defining the global anchor points and conducting an initial baseline for phishing and training campaign to determine where the company stands. The results are a security awareness policy, a security awareness strategy (5-year plan) and the results of the basic campaign.
Planning is all about creating a master plan for security awareness. What should be tested, trained and in what order. Which phishing simulations will be used? Which training contents must be imperatively taught and which general IT security topics do you want to train? The results are a conducted mail and web filter analysis (what goes through?), roadmaps for the testing content and the training content, a campaign plan and an established awareness training infrastructure.
The RUN phase basically refers to the individual campaign. What needs to be considered when preparing a single awareness campaign with your attack scenarios and training? The EVOLVE phase ultimately serves to ensure that the employee awareness program retains its effect on the staff, improves and that further insights are gained.
The documentation of the framework includes a description of the individual processes necessary to build a cyber sensitization / awareness program. The documentation is provided free of charge by LUCY Security. Please contact us using the following form if you wish to get a detailed handbook.
Scope, Plan, Run, Evolve - Overview of the SAPF Phases
Please note: The phases are overlapping. This is not a waterfall model.
Scoping the Awareness Programme
|Level:||Strategic – Normative|
|Goal:||Why and What|
|Outcome:||Sec-Awareness-Strategy, Sec-Awareness-Policy, Baseline Campaign|
- Understand your existing security policy framework in the company. This drives what you need to test, to assess and to train.
- Understand your actual cyber risk catalogue. You need to train your staff along the attack vectors.
- Understand past security education. You need to know where you want to start with the standardized education.
- Understand your data privacy implications. Be mindful that you are gathering personal data.
- Understand your technical infrastructure and systems. Knowledge on the technical components is important. You can never plan a successful phishing program until you know and understand all the technical information involved. Example: It does not make sense to run a drop-box phishing simulation when drop box access is denied by your systems.
- Perform immediate actions: Run Baseline Training and Test (in order to identify special flaws in and identify state of knowledge). Yes, run your first phishing and training campaign already in the scoping phase.
- Discover your stakeholders, supporters and influencing units (System Engineering, Management, HR, SOC, CSIRT, Work Council, Helpdesk, etc.)
- Investigate dependencies and interfaces to 3rd party tools.
- Define hosting strategy for the security awareness systems. Do you want to run LUCY on your own premises, on your own cloud servers, do you want to use 3rd party providers or a LUCY hosting?
- Define global goals for the programme (BHAG), desired click rates, training completion rates, and incident rates.
- Define KPI’s that matter and desired training frequencies, training lengths, etc.
- Define global stages of the programme. Don’t try to address everything in one giant leap.
- Write down a global strategy (5 year plan) and awareness programme policy (The findings, definitions and decisions you made in this phase). These documents need not be large! Often one page or two is enough and the content can be integrated into existing policy documents.
- Get approval from the management, workers councils and other governance units if needed.
- Publish and communicate your awareness programme policy document and the strategy document.
Plan the Programme and it's Campaigns
|Goal:||How, in which order and when|
|Outcome:||Sec-Awareness-Programme-Plan, adopted environment, “it’s already to run”|
- Define Maturity Levels and Reputation Levels to be used in the tools.
- Plan and implement infrastractural adoptions (Spam Filter, Whitelists, WAF, Firewalls).
- Identify special risk groups. They will get dedicated campaigns and content.
- Define target audiences (recipient groups).
- Define starting level of tests and trainings. Do you want to start easy or already sophisticated?
- Define phases of the programme (phase planning). You can’t train everything at once. It makes sense to set priorities and bundle certain topics.
- Decide on brand usage. Attackers use well-known brands, companies, websites, etc. because they know that users are highly likely to click on them. Should your campaigns take this into account? You should also plan campaigns with your own faked or spoofed company name.
- Perform mail- and web filter analysis using LUCY’s MFT function. Discover what file types go through via browser or email client. You need this information order to decide what file types should be used within file based phishing simulations (or to block them).
- Create the testing content roadmap for your organization (‘Attack content framework’, see below).
- Create your training content roadmap (‘Awareness content framework’, see below).
- Plan empowerment of users in identifying and reporting threads. Define the reporting process together with support desk and SOC. Roll-out the Phishing Incident plugin and configure the incident console if needed.
- Create a campaign plan (Campaign & Audience Planning) for the next 12-18 months.
- Weigh the limits of any attack scenarios. Sometimes it may happen that you should run an attack simulation but the scenario you should use for it is a no-go. Are there any limitations in terms of scenarios/themes that cannot be used in attack simulations in your organization?
- Carry out the initial training campaign in the sense of basic training. Before you initialize the awareness programme and its first simulated phishing campaign in your organization, your current employees need to go through an introductory training scheme.
- Setup the reporting and communication chain in the company. When running campaigns, who needs to be informed? Who gets the campaign results? What information is distributed?
And: Don’t die in beauty!
|Level:||Operational, mostly single campaign|
|Goal:||Increase awareness, knowledge and infrastractural quality|
|Outcome:||Smarter employees and better systems|
- Sender Domain: An important part of your phishing attempt is choosing the right mail sender domain from which the phishing simulation emails will be sent out. Choose domain names that will normally pass through spam filters. If this is not the case you need to ‘white label’ them. Be aware that there isn’t much sense in using domains that would normally get filtered out via SPF protection because these will never make it to your employees’ inbox. Invitations to awareness trainings can easily be sent from the company’s own domain.
- Test run: Do a test run before firing the campaigns.
- Announce it: Do you have to notify phishing campaigns to (official) bodies?
- Schedule it. How many mails should be sent in which period of time? When should the training be sent? Immediately or after a time interval? Should phishing be sent randomly?
- Run it: Make sure you can and do monitor it in real time in case something goes awry. Don’t just do awareness training and phishing simulations. Also run ‘Bad USB’ or smishing campaigns.
- Alarm it: The employees should use the Phishing Incident Button!
- Report it: After the campaign create the report.
- Communicate it. Publish the results. People are
- Assess it: Don’t only test and train people. Run assessment campaigns using Lucy’s malware simulation toolkit. Perform extended mail- and web filter tests. Assess the network using the ransomware simulator. So you can find out until what extend a malware would be successful in your network.
- Campaign Iteration planning & execution: Often the results of the campaign indicate the need for follow-up training or the need for a follow-up campaign.
- OOO / no delivery campaigns: Create more sophisticated campaigns by enabling response detection in LUCY. Create campaigns that automatically respond to auto-reply and out of office messages (ooo).
- Tutoring the weak: Create special training for the weakest employees. Pay attention to small and short training modules. Respect all employees.
- Special education for the strong: Do not allow your best and most attentive employees to slip away; they are your most important asset and your strongest defense.
- Reward it! Create incentives through rewards, awards and competitions at employee and team level!
- Analytics it! Compare campaign results, identify trends, and carry out benchmarks. Your organization is unique; comparisons with other organizations mostly make little sense.
Evolve the IT-Security Awareness Program
|Level:||Operational, tactical, strategic and normative|
|Goal:||Improve staff, organization, partners and infrastructure|
|Outcome:||More effective awareness programme|
- Provide seasonal/actual content: Is there a current threat in the market or has a new security policy been published that requires training?
- Target readjustments: Are the objectives still okay?
- Process improvement. After a certain time you certainly can improve campaign preparation, reporting or alarming processes.
- Benchmarking. Once you have a basic data set and results for your organization and it’s units set up a benchmarking framework and use the power of comparison and gamification.
- Cross organizational collaboration. Start to share trainings and templates with other organizations. Perform cross company ‘competitions’. It’s here where you can start benchmarking! And: You can join the global LUCY user-group if you want to.
- External Review and Certification. A review by an external body can certainly make sense and, if desired, have yourself certified by a third body (e.g. through a LUCY company certification).
One level deeper - Frameworks for Testing and Training Content
The testing roadmap and training show what you want to test, train and practice. They serve as the basis for the campaign plan, in which the concrete awareness campaigns, goals and recipient groups are planned. The roadmap documents show the management and other interested group what learning content is to be conveyed in principle, without a time reference or detailed assignment to risk and recipient groups.
Testing Content Roadmap
Performing a phishing simulation in your own organization is nothing more than a realistic exercise to prepare for an emergency. Many companies conduct regular evacuation exercises of their office buildings. Educational social engineering measures such as fake phishing mails are virtually the same.
The Testing Roadmap helps to plan these IT security ‘fire drills’. Many anti phishing / awareness products available on the market support not only fake phishing, but also educational smishing, vishing, USB hacks and others. Often a selection can be made from hundreds of different templates. State-of-the-Art products also allow the efficient creation of individual attacks or adaptation of the templates, so that individualized phishing mails and landing pages can be created.
Training Content Roadmap
This roadmap helps you to plan which IT security content will be made available when, how and for which recipient groups. When teaching IT security training courses, a distinction must be made between what content must be taught and what should be trained. Please note that there are always different strength classes in your organization that should be trained to your level of knowledge. Build the training into the daily work of your employees, award diplomas/certificates and keep the lessons short.
Mandatory Security Education
This is often referred to as compulsory training or policy driven training. The organization is obliged to enforce existing safety guidelines and safety instructions among its employees. This category includes in particular training for GDPR, PCI-DSS, ISO27001, HIPAA, etc.
Generic Security Trainings
Industry-specific training content on IT security and security in general fall into this category. This includes all topics in the field of social engineering with which the employee could be confronted:
- Phishing & malware attacks
- Password security
- Shoulder surfing
- Attacks with data carriers
- Vishing (Voice Phishing)
- Clean desk policy
- Physical security
- Visits and personal interaction (Visitors)
- Social Engineering in general
- Use of public WiFi’s
- Mobile devices
- Safe travel
- Security Incidents (security incidents)
- Cloud and Internet Security
- Email security
Depending on the industry, there are additional special modules such as
- Classification of information
- Industrial Security
- Credit card data handling
- Handling of personal data
- Handling of patient data / health data
- Physical data carriers / disposal companies
Small or large Project?
The answer to this question depends mainly on the size of the company. Of course, the IT security awareness level of the organization also plays a role, as does the number of organizational units, risk groups, stakeholders etc. affected.
Smaller companies with a proactive decision-making culture can implement the basics for an awareness program including the first Baseline Phish and Train campaign in two to three days. Larger institutions, on the other hand, can take weeks or months to implement such a project. It’s not so much the amount of effort involved that matters, but rather the lead time. Welcoming all affected or involved stakeholders, as well as decision-making in a heterogeneous environment, simply take time.
Need to run a phishing simulation only?
If you just want to configure and run a phishing and/or training campaign: The article ‘Plan your Phishing Simulation Campaign – Successful implementation of an attack simulation: tips and tricks‘ will help you if you want to carry out your specific campaign.
The Security Awareness Wiki of LUCY helps here too. The Onboarding Checklist is the most comprehensive technical guide for cybersecurity awareness programs on the Web.
Need an advice?
We have hundreds of customers in over 40 countries. We are pleased to assist you. Please contact us with this form.