Training Trouble: Why E-Learning Doesn't Work for Everyone

I took a little look back at my calendar today and it seemed high time for a blog. My colleagues and I took a little hiatus to finish up the first draft of our corporate book—a project 6 months in the making and one we are very excited to be bringing your way soon. Check back throughout the year for more information about how to get a copy of our step-by-step guide, From Here to Security.

But for now, we're back in the business of blogging—and with something a little different this time.

I know my blogs usually cover ITSec, security breaches, and big business blunders when it comes to securing sensitive information. But in my work on the book, I've really felt a renewed interest in covering the "Why" of all that. Why are companies struggling to close the gaps in corporate security? Why are we seeing a dramatic rise in security breaches in the news?

While I don't believe there is one right answer that covers everyone, I do think that inadequate training has a lot to do with it.

I was poking around some e-learning sites today and stumbled across this article: 5 Reasons that Everyone Should Know: Why E-learning Projects Fail. And, in fact, Sonal Paul does a pretty good job laying out a number of the pitfalls companies fall in when establishing an online training program. According to Paul, the 5 main problems are

• Poor Need Analysis
• Gaps in Communication
• Poor Project Management
• Failing to Understand the Learner
• Wrong Instructional Strategy

Bing, bing, bing! That list hits some pretty big nails right on the head. As a company that specializes in crafting training campaigns and individual courses for big businesses, I'd say that our clients run into at least one of these in almost every project (and especially big projects usually struggle with all five).

But listing the problems doesn't even come close to solving them. Many of our e-learning clients would be ill-equipped to address these issues even if they were well aware of the problems up front. So I'd like to take Paul's article a step further and offer some practical advice on each of these points.

Risk, Recrimination, and Reporting: Detecting and Handling Breaches

I read Ericka Chickowski’s article on empowering employees to detect outside attacks earlier this month and I made some notes that have finally found their way into a blog…three weeks later.

Well, better late than never—especially when it comes to the importance of teaching effective employee behaviors. There is always something good to say about it. Here’s my sum-up of this article: Chickowski is 100% right, and she has some particularly notable quotes here.

Phishing Infographic: Don't Get Hooked!

By now, most folks are aware of phishing emails—or at the very least, that social engineers use email to steal average people's sensitive information. Yet, we are continually surprised that the how and why of phishing still eludes many average folks. What do phishing emails look like? How would someone get information from me through an email? What could a social engineer do with that information?

Some folks just respond better to pictures and diagrams. So...voila! Our first foray into the world of infographics, and what is hopefully the first of many.

Share this Image On Your Site

<p><strong>Please include attribution to SightTraining.com with this graphic.</strong><br /> <br /> <a href='http://sighttraining.com/Training/Infographic.aspx'><img src='http://sighttraining.com/portals/0/phishing_email.jpg' alt='Don't Get Hooked' width='660px' border='0' /></a></p>

Employee Training: Out of the Box

As a training company, this is just one more way for Sight Training to encourage folks to do their homework—and by homework, we mean doing a little extra checking before you hand over sensitive information through a phishing email. Your credit card number, SSN, and bank information are yours and no one else's. Guard them at all cost. 

And remember: emails are just digital versions of the in-the-flesh thieves who are behind them. They can dress up and look impressive. They can be cool, casual, and persuasive. And they can pull off an official posture with approved logos and embedded links that mimic real websites. Here are a few more tips:

1. Remember: stranger danger! Don't know who sent it? Don't open it.
2. Be wary of attachments. 
3. Ignore commands and requests for action—no matter how urgent they may seem.
4. Use the phone. Try contacting the sender by telephone. If the email is from your “bank,” then you should be able to get the truth pretty quickly. And if you cannot get in touch with the sender, then delete the email and forget about it.

Slow down, take a deep breath, and think about what you are doing before you offer it up to a social engineer on a silver platter.

More About Phishing

Oh, the Humanity! Train Employees to Say "No" to Social Engineers

Let’s set the scene for the third social engineering tale in our story series “Oh, the Humanity.” A Fortune 100 company asked us to test their defenses against pretext calling, email phishing, and physical security. The best part? They pretty much just gave us carte blanche and asked us to figure out how a social engineer would develop an attack.

After making a few phone calls and obtaining a few seemingly innocuous pieces of information (we call them “building blocks”), we decided to make an attempt to obtain VPN access to their network. Through their audit, we had already obtained the Cisco VPN client and had numerous usernames and passwords. All we needed was a host name.

Frontline Employees: Stop Being Polite and Start Getting Suspicious

Back in the late 90’s, I began a career path in college administration. I started slow, worked my way around a few schools, and tried out lots of positions: lowly student intern, undergrad admissions officer, International student admissions coordinator, marketing and creative officer. At one school, I even took over admissions for a while.

And I loved it, most of the time. There is something exciting about growing a department from the inside; creating policies and procedures that improve life for everyone, helping young people realize their dreams. I worked at some outstanding institutions.

But every institution I attended, visited, or worked for struggled with a common issue: low-level security awareness among frontline employees.

Employees and Social Media: If You Can’t Beat ‘Em, Then Train ‘Em.

With the exception of few stodgy holdouts, pretty much everyone has a social media account or two—or maybe five. I mean, why share everything on Facebook? Why not open up the fascinating details of your suburban, middle-class life to a wider audience? There are life-changing food photos to post to Instagram, quippy thoughts to share on Twitter, and that hilarious meme you whipped up last week that’s begging to get posted on Reddit. More exposure! More, more, more!

An awful lot of us have this attitude now—and if your supervisors are aware of your tendency to tweet first and apologize later, then they may be freaking out. In fact, according to a Javelin Research report from earlier this year, 69% of companies are concerned about employees’ social media use. While a half hour here or there may not seem like much, even on the company clock, it can add up to a lot of lost revenue, thousands of security threats, and plenty of potential bad press if you can’t keep it in check.

Fortunately, according to CSIdentity, businesses have two good options to keep their employees’ social media usage from causing harm to the business: create clear policies and keep employees educated.

Cute-Girl Voice: A Social Engineer's Secret Weapon

This just in: a highly informal study of a teeny tiny group of people suggests that men may be more likely to give up sensitive information over the phone if they think they’re speaking with a cute girl.

Surprised? Yeah, me neither. What did surprise me, though, was just how easy social engineering really was.

Working Together: Technology and Education Necessary to Prevent Phishing

I've been in the education business for a long time. I was a public school teacher first, and spent a good deal of effort educating middle school and high school students. Then, years ago, I made a career shift into the information security business and made a career out of teaching employees how to avoid opening their businesses up to the threat of social engineering, phishing, and pretexting.

In both cases, education is necessary for success, and I'm always interested in the ongoing argument in the information security world: Tech or Teaching? Recently, Robert Lemos asked the same question on Dark Reading. Here are some takeaway points from that article.