CISO Success Story: The Best Cure for Boring Cybersecurity Training

Plenty of companies (maybe yours) rely on those mandatory cybersecurity training videos to walk employees through potential online dangers like phishing emails, weak passwords, and malware. But are the employees really paying attention? Or are they just playing on their phones?

Some outfits that produce these cyber training films have upped their game, injecting videos with Hollywood-style drama, suspense, and special effects. And while that may help, it doesn’t address another concern increasingly on the minds of chief information security officers (CISOs): Even if their employees absorb the information presented, it’s often so generic that it really doesn’t cover the specific kinds of cyber scenarios that tend to happen in their particular industry.

Boredom and relevance remain the two biggest challenges for anyone setting up cybersecurity training. Which is why self-described “privacy evangelist” Ken Fishkin (pictured above) decided to employ a more personal touch.

Gain real-time visibility into your digital employee experience (DEX) – and learn how your workers really feel about it.

Fishkin had a strong sense the cybersecurity video training at his 350-person law firm wasn’t exactly getting through. The senior manager of information security for Lowenstein Sandler found that many lawyers and staffers at the firm were falling prey to a scam via software applications DocuSign and DropBox. Law offices rely on these apps for sharing documents that need to be signed and approved, and lawyers, paralegals, and other staffers receive a lot of these emails on a regular basis.

As a governing body member of the New Jersey CISO Community and the state’s chapter president for the cybersecurity training organization ISC2, Fishkin knows that attacks using applications like DocuSign are on the rise and increasingly sophisticated. Rather than just use typical phishing techniques, some threat actors are creating real DocuSign accounts to bypass spam filters. The email appears to come from a real person and real company, with an explanation of what the document is, and the user is asked to review and sign the paperwork, with a link embedded in the email to take them to a cloud-based document. (Another recent scam impersonates PayPal to steal user credentials and take over accounts.)

For any number of reasons, the firm’s employees weren’t taking the few seconds necessary to confirm whether the link was legit, but it’s also easy to see how they could be scammed. They may think it’s a new client or a new assistant who is sending the document, or they might be so afraid of losing business or falling behind on their workload that they click on the “Review document” link.

Fishkin recognized that generic training offerings don’t cover the social engineering threats and other cybersecurity concerns that face law offices, so he decided to change the way his team offered cybersecurity training. Focal Point recently spoke with Fishkin to learn how he addressed social engineering scams impacting the security at his firm.

(This interview has been edited for clarity and length.)

Focal Point: Can you talk about the security problem you faced and the issues it was causing for the company?

Fishkin: Our clients have to perform due diligence on us, and a lot of times, they want to make sure that we’re doing security awareness training for our employees. But what that really means is people are just sitting in front of a computer for a half hour watching a video, which meets the requirements.

Scammers will use creative ways to tell a new hire that the firm needs them to purchase gift cards or needs to deal with an emergency.

For the past four years, I did these videos and then I would test people with session campaigns – I’d make up a scenario and see how many people fall for it. It was a controlled way to fake people out with scams, and they were falling for it.

I finally said to myself, OK, they probably aren’t watching these videos; they’re probably doing something else while the video was on in the background. I decided we needed to do a better job of educating everybody. So I decided to do live training with smaller groups.

[Read also: Why workers violate cybersecurity policies]

FP: What do you mean by doing live training?

Fishkin: I’d either set up a Zoom call or sit down with people in person and have conversations about the issues that law firms have with scams. It hits home a little more than watching a video meant for the general public because this training is more law firm–specific.

FP: How many people do you talk to at a time?

Fishkin: It’s for new hires, so if we have five people that just got hired that week, I’ll talk to five people. It’s not like we’re hiring hundreds of people at a time, so it is a pace I can handle.

[Read also: 4 critical leadership priorities for CISOs in the AI era]

FP: What kind of things do you talk about in a live security training session?

Fishkin: I talk about real scams that have happened to our firm. For example, when somebody announces on LinkedIn that they just got hired by Lowenstein – or we do a PR campaign to announce the hiring of a new partner – a lot of scammers will start with social engineering techniques, such as pretending to be the chairman of the firm and ask for a cell phone number. Or the scammers will use creative ways to tell the new hire that the firm needs them to purchase gift cards or needs to deal with an emergency, and the cell phone number is needed to get things squared away.

Showing [employees] practical things, scams that have actually happened in our firm in particular, really hits home.

The new hires don’t really know people yet and don’t know the culture of the company, so they are very responsive. Especially younger people who are trying to please everyone in order to get attention.

FP: What kind of success have you had with this personal approach?

Fishkin: I’ve seen good success. I’ve told them how there are scams where people call up and say they are tech support. We have email bombs, where people get thousands of emails over a short period of time and fill your inbox. Then they’ll get a call from someone pretending to be tech support while this is happening. Who wouldn’t think that it was really legitimate tech support? But it is a scam to install software. So now people are verifying that it is the actual help desk they are speaking to.

[Read also: What is social engineering in cybersecurity – a comprehensive guide]

I’m trying to make sure employees understand that they don’t just click on things, but everybody is so busy that they don’t really pay attention to what’s going on. Showing them practical things, scams that have actually happened in our firm in particular, really hits home. I’m now seeing more people reaching out to me to verify if an email is fake or real.

FP: Will you still do the annual video training sessions?

Fishkin: I will still do annual training, but it will probably become a mix of what I’m doing now with new employees. The plan is to do annual training by department and that way I can talk to everyone and the training will be more targeted to that group and their specific security issues. I really want people to wake up and take security more seriously.

TO LEARN MORE

Check out other exclusive interviews with security leaders in our “Success Stories” series.

• CISO Success Story – A Real-Life Marvel ‘Superhero’ on AI Fighting Cybercrime
• CISO Success Story – Predicting Cyber Risk Accurately Is Easier with This Guy’s Formula
• CISO Success Story – How LA County Trains (and Retrains) Workers to Fight Phishing
• CISO Success Story – How to Build Trust With the Board? Don’t Talk Cybersecurity (Much)
• CIO Success Story – Looking At the Flip Side of Third-Party Risk
• CISO Success Story – How Zoom Achieved Cybersecurity 2.0 With Cyber Risk Scoring