Why Should Penetration Testers Conduct Security Awareness Training?
If you are reading this, I am sure that at some point you have had to suffer through some form of security awareness training. While we commend companies for trying, let’s face it, the majority of participants are just clicking through some computer-based training as fast as they can so they can get their certificate stating that they completed training. One of the ways we’ve seen that can improve the effectiveness of security awareness training is through targeted and customized training. Rather than checking the box, security awareness training can focus on real world examples and targeted walkthroughs from the perspective of the hacker (or penetration tester in this case).
Why Should Penetration Testers Conduct My Security Awareness Training?
- Engagement – Odds are that security is not a top priority for the majority of folks at your firm. By having a real person provide security awareness training (either in-person or virtually), overall engagement will be improved, as opposed to having some sort of online, click-through style training. Additionally, to further improve engagement, our training centers around either previous social engineering campaigns we’ve run on the organization (with permission, obviously) or other successful campaigns we’ve run for similar organizations. This adds an element of “realness” and makes the training more interesting as it covers attacks that actually happened, with screenshots and videos, rather than theoretical attacks with no practical lessons.
- Real world experience – By providing real world examples of how our penetration testers have been hired to hack into different firms, we are able to convey relatable events to participants that most definitely could happen to them. Would you rather hear about the time that one of our hackers was able to call a C-suite executive and coerce them into giving them their password or look at a cartoon of Mary who left a confidential document sitting on her desk?
- Question and Answers – There are no opportunities for Q&A when completing online training. We have found that the Q&A portion of our training is the most engaging and beneficial. Participants often ask great questions regarding security in general that we love speaking to and provide come context for things they’ve heard in the news or in their day to day life, such as password selection or the use of a VPN.
- Security awareness training never ends – After the initial training session, we always have participants reach back out with questions and we are happy to continue the discussion. At Triaxiom, we partner with firms and make ourselves available to help in any way that we can before, during, and after our training sessions.
At the end of the day, any sort of security awareness training is better than nothing. Using a penetration tester, which is as close to the mind of a real hacker as you can get, perform the training has some significant benefits. Of course, computer-based training offers flexibility as far as attendance goes that a in-person or webinar session can’t rival, but we always record our training sessions and provide them to organizations so they can use them later. But many of your employees might appreciate a more engaging meeting, and the knowledge shared is more likely to stick with your employees which, in turn, makes your company that much safer.