As an employee, security sometimes feels like a barrier to me doing my job, and it can be just downright annoying. I have to juggle constant system updates, blocked applications and websites, complicated password policies, endpoint firewalls, and DNS-based rules. All of these technology measures can make me feel like I am a risk to be managed.<\/p>\n
But a few months back, I became part of the solution.<\/p>\n
Cybersecurity Awareness Training<\/h2>\n
CIRA now publically offers cybersecurity awareness training and phishing simulation<\/a> as a service\u2014and not only are we the service provider, we are also a client.<\/p>\n This training platform is a one-stop-shop<\/strong> that combines traditional courses, awareness and perception surveys, phishing simulations and company-wide measurement. This is a significant step-up for the days of yore when IT cybersecurity training meant a 45-minute pizza lunch in the cafeteria with a sign-up sheet that proved you attended.<\/p>\n Most importantly is the integration of our training with phishing tests<\/strong>. These days, most organizations do some form of phishing tests or simulations, but the ones I\u2019ve experienced have never felt effective. Everyone in my department would get the same test at the same time, and we\u2019d never receive any feedback or results reporting on the tests or our improvement. As a user, I still felt like a managed risk and even resented being tested.<\/p>\n On the flip side, our IT departments felt these tests took too long to administer and report on. Being able to prove the effectiveness of our security programs with data was a long and tedious process.<\/p>\n Our training tool sends out unique phishing tests randomly to everyone at CIRA so nobody can be the \u201cgopher\u201d and alert others that a test is coming. And if you do end up falling for a phishing test, you immediately get recommended appropriate training that is customized to that test. I might be good at recognizing social media email scams, but if I fell for a storage application scam (like a fake Dropbox login), I\u2019d get more storage-related training. To me, the training feels highly relevant.<\/p>\n Using our Cybersecurity Awareness Training, my perception of our training and testing has completely changed. With this product, our goal is to \u201ctransform users into a human firewall\u201d. While this sounds a bit intense, there\u2019s a reason it\u2019s a term that\u2019s highly used in the cybersecurity industry\u2014employees are a primary, direct target for attacks, and their awareness and diligence are incredibly valuable as part of every organization\u2019s cybersecurity solutions.<\/p>\n As a user, what does it mean <\/em>to me about being part of the solution?<\/p>\n One of the biggest gaps I\u2019ve felt with other security training tools is that I\u2019d have no idea what my performance was, and whether my training even mattered. You can see from the screenshots above (taken from my personal dashboard), that my risk score is 575. This score is a combination of my department, my role, my access to systems, and my success with training. When compared to the rest of my team\u2026I\u2019m winning!<\/p>\n\n
![\"\"](\"https:\/\/stg.cira.ca\/uploads\/2019\/07\/Riskscoreimage1.png\" "\\"\\"")
\n <\/p>\n![\"\"](\"https:\/\/stg.cira.ca\/uploads\/2019\/07\/teamscoreimage1.png\" "\\"\\"")
<\/p>\nFully transparent personal cyber risk score<\/h2>\n
Phishing simulations help users build a good habit<\/h3>\n