Initial Comments on Awareness Training Best Practices

(Will Jeansonne) #1

Comments on security awareness training from several of our first members.

(Will Jeansonne) pinned #2

(Will Jeansonne) unpinned #3

(Will Jeansonne) pinned #4

(Richard Wills) #5

For us, at least Monthly Phishing tests with mandatory retraining for failures as well as sending examples to users as we see suspect email enter our system. I would be typical for us to sanitize a true Phishing email and send it our to all of our users as an example and to highlight and acknowledge the user who discovered it and brought it to our attention.

(Charles Chenevert) #6

How should I handle web sites that have “https” in the URL where I don’t see the lock symbol in the web address bar? That is, should I not submit any personably identifiable information in the online form if I don’t see the lock?


We do basic computer security training during on-boarding and then once a year after that. We also send out security briefings/alerts occasionally and use KnowBe4 phishing campaigns.

It seems to work fairly well.

Taking away local admin (or an application whitelisting system) is still the best thing you can do, though!


One of the most useful things I’ve found is taking real spam/spoof emails we get, mark up what was wrong with the email, and send that out to all employees to look at. This has worked really well because it seems more real when it’s emails one of them actually got.


We also do basic training during on-boarding - however since we recently started using phishing campaigns and the video training our users are starting to become paranoid about every suspicious email. I’m hoping the user’s first thought is “This is another test - I don’t want to go through the security training again!”

(Chris Reynolds) #10

We do pretty much the same thing! We’ve seen some good progress from our end users using the KnowBe4 campaigns and trainings.

(Josh) #11

We preform both on boarding training for all new employees within 30 days, then once a year everyone is retrained in our security practices.

And as needed people are given specific training based on roles.

(Pat O'Connor) #12

We use monthly phishing tests plus quarterly video training and that seems to work well for most of our users. Where we still have an issue is finding quality secure engineering standards training for software developers. I have found material that is so rudimentary that it is insulting to experienced programmers and material that is so extensive that there is no time to develop the product.

Has anyone found a good solution in that area?

(Mike Borst) #13

I just recently implemented KnowBe4’s 45 minute security training as basic on-boarding for new employees. It really helps them jump into the environment knowing that they are already somewhat educated.

(Scot) #14

I have found in person training to be more effective and a good complement to just online training/videos. Wondering what others are doing for in person training.


Right now we prohibit local admin rights. It increases administrative difficulties, but is a must do today. We are moving forward with a “whiltelisting” application that had some reported success preventing the spread of ransomware. We are undecided if we will then allow local admin rights. We certainly wouldn’t entertain the thought of making that change until we’ve let the new application soak for a year in production.


We have some application whitelisting but it’s very expensive and management is burdensome. I can’t justify the expense in time and effort to deploy org-wide.

It’s too bad because it’s a great idea. To any vendors listening—stop charging 50-100 per endpoint and I’ll buy your stuff :slight_smile:


KnowBe4’s setup has served us very well. Regular phishing tests and the Security Awareness Training. the 45 minute training is a requirement for all employees during onboarding. Then more training as I see fit, or if someone fails a phishing test. It has caused A LOT more questions to be thrown my way, but it’s b/c the users are scared to click on anything, so I’ll take it. I have had users tell me flat out that they are "scared to click on anything."
We definitely don’t allow local admins. Myself and my employees are the ONLY admins either locally or on domain.
I also send out regular security awareness emails to everyone.


In addition to having new hires go through the Security Awareness Training within the first week of employment, I also utilized the Security Hints and Tips and have that set up to go out weekly. I’ve also set up a new campaign today utilizing the new Scam of the Week feature so that I can notify all my employees of things to watch out for so they are more aware of different kinds of threats that are circulating. In my experience, in addition to providing as much information on security as possible to the end user, the upper management (C suite) really needs to let all users know that the company is taking security seriously and there will be disciplinary actions for continuous clicking.

(Kristen Anello) #19

We also do similar training. We train annually and send out email notifications/alerts to keep our users aware of the newer scams circulating when they occur. We don’t allow local admin access on machines and do a lot of whitelisting for websites to keep surfing in check. We are utilizing KnowBe4 for training and it has shown to be a positive experience for our users for education and we are seeing staff become more aware since the training.

(Rachael Chosnek) #20

We provide information security training during employee on-boarding. We also require all employees to complete quarterly training, including the C-Suite. In addition to training, we do monthly phishing tests, with auto-enrollment in a “refresher” training for all failures and email security tips to all users monthly. Since abandoning the standard annual training two years ago for a robust Employee Awareness Program most of our employees have come to recognize their responsibility for security.