Info Security PG: What’s more important, training application developers or end-users? How is Wombat’s cyber security training solution different from traditional training?
Joe Ferrara: We believe it is important to train both end users and application developers. However, our focus is on end users, which is often the most overlooked area in a company’s security defense. No matter how airtight the security infrastructure is, one wrong move by an end user can lead to a security issue, a breach, and loss of data. Most recently, the industry has seen a shift in the attack target from the infrastructure to the end user through social engineering, phishing attacks, and other methods… and many people today consider humans to be the weakest link in security.
Wombat’s cyber security training is different because of its application of learning science principles, coupled with cyber security expertise and engaging software techniques. Users are taught practical concepts and they practice them immediately as part of the training, which results in longer retention of information. Each training module is less than ten minutes and collects critical data to understand vulnerabilities. Not only is the training more effective, it is also measureable.
We recommend a combination of simulated attacks and ongoing training to reinforce the concepts taught. Many customers start by sending a simulated phishing attack to their employees, which provides immediate training and collects baseline data about employee susceptibility to attack. Wombat’s Security Training Platform combines the simulated attacks, training modules, administrative functions, and reporting and analysis all into one system. The Platform enables CISO’s to show employee knowledge improvement over time. Our customers have seen significant reductions in the susceptibility to attack.
Info Security PG: What important advice would you give to security officers so that they can plan and implement their training programs better?
Joe Ferrara: What I find interesting as I talk with CISO’s is that many are still in the “check the box” mode with cyber security training, just worrying about whether someone has taken training and not worrying about how effective the training actually is. Most get less than 60 minutes a year for cyber security training across the organization so it’s more of a firehose treatment where they hope that something sticks. With our solutions, the CISO and their team take a much more proactive stance first by attacking their employees to get a baseline of vulnerability and then training in bite-sized modules that focus on specific subjects so employees can learn and retain the information. Many organizations are still hesitant to attack their employees, but the reality is that the cyber criminals aren’t hesitant at all. Either way, they will get attacked. At least if the company does the attacking, the employees who fall for the attack get immediate training and the security team can address training needs proactively.
The advice I give to security officers is to use the data that we gather to track the success of your training, but also to justify the cost of the systems, including the training solutions, to their management team. With the cost of cyber security attacks, the proactive approach to safely attack and train employees is easy to justify.