“security awareness training” Archives

Tag Archive for: “security awareness training”

Cybersecurity Awareness Month 2022: Five Disastrous Pitfalls to Avoid at All Costs

Cybersecurity Awareness Month Keynote Speaker

Security Awareness Training that Won’t Put Your Peeps Asleep

National Cybersecurity Awareness Month, which takes place every year in October, is a lot like spring cleaning. It’s when we buckle down and finally get to that pile of papers we’ve been staring at all year. It’s also when we learn to build new systems that prevent the pileup in the first place. Fall is when we turn on the throwback tunes, grab some reinforcement, and dance our way through important cyberthreat mitigation. As a cybersecurity keynote speaker, it is my responsibility to help you know where to start, what to do next, and how to prevent the mess that comes from not paying attention to security awareness training. It is the combination of deep work in October and preventative education throughout the year that make cybersecurity digestible, effective, and even a whole lotta fun. In the meantime, here are 5 Disastrous Pitfalls you can avoid during your organization’s Cybersecurity Awareness Month 2022:

1. Don’t Overstuff October with Awareness

Assuming that your employees are appropriately educated after just a month of data protection training is as ridiculous as saying “I washed my sheets once, so I’m set for the year!” First of all, no. Second of all, gross! To continue our cleaning metaphor, if you wouldn’t ask your most treasured house guests to sleep in a bed with sheets you washed last October, why would you entrust your company’s most sensitive data to a team that is dealing with year-old information??

It is all too easy for organizations to assume that their responsibilities are contained and fulfilled when they dedicate an entire month and a substantial budget to those responsibilities. Don’t get me wrong, I LOVE that we have a month dedicated to cybersecurity awareness. But many organizations concentrate all of their efforts into October while completely neglecting the other 11 months. Here’s the point: Information overload is not effective, for your people or your budget. Corporations that rely on October alone may forfeit some of their responsibility while exhausting their staff into a state of disengagement.

How do I know this? Every year, I am booked solid from September through November, right around–you guessed it–Cybersecurity Awareness Month. And I’m not complaining about the business! But I am concerned that we see a sudden yet fleeting burst of motivation by companies and yet a lack of accountability the rest of the year. More and more, in addition to a keynote event during their October campaign, smart organizations will supplement their education with monthly emails, phishing contests, brown bag lunch dates on personal security, funny social engineering videos and other relevant updates that keep their staff current on the latest cyber trends.

2. Don’t Hire Speakers Who Bore Them to Tears

Emotions matter. Your people matter. A relatable, captivating experience is critical to creating personal buy-in among your employees. And let’s face it, your people are only your weakest link if you let them be. When you bring in engaging, entertaining speakers who make the topic personally relevant to their lives (not just to your bottom line), they will naturally expand and apply that learning to your organization.

Take Facebook for example. They have successfully implemented “Hacktober” during National Cybersecurity Awareness Month, which provides workshops and gamified contests for workers to implement everything they learned throughout the year. And then in October, they reward their team with a highly entertaining speaker (shameless plug ;-) that benefits them personally and professionally.

When I live hack the iPhone of an audience member (using humor to socially engineer them) or run a game show about deep fake technology to educate them on trending threats, they leave not only with tools for protecting the company, but with personal buy-in about why data defense matters. But if it’s boring, it gets forgotten.

3. Don’t Force Feed Them 8 Straight Hours of cybersecurity awareness training

More is not always better. Faster is rarely better. Eight hours of pure content without a bathroom break is not better. And it’s probably illegal. Because we are productive beings focused on “more”, we sometimes confuse efficiency with effectiveness. In the case of security awareness training, eight hours of hearing about hackers, fraudsters and scams (oh my!) isn’t going to do much besides–at best–convincing your people to tune out and enter BORED, SLEEP and WASTE and in their latest Wordle puzzle.

Organizations that treat cybersecurity awareness month as a time to stuff all content into one long day and hope that everyone learns something (or at least stays awake) tend to be wasting their money. More education in less time is not the way to prevent cybercrime from landing you at the top of the news cycle. In fact, content stuffing will dull down the topic so much that your people will care less than when they walked in.

It’s like one of those weeks where you put off doing the laundry just long enough that your clothes barely fit in the washer. So you stuff it all in and not only don’t the clothes get clean, but the machine is toast before the spin cycle subsides. The lesson? Don’t leave your people half-washed by stuffing their brains so full that they can’t finish the cycle. The most savvy data protection education I see tees up the topic with a few new best practices–let’s say password or click hygiene–paired with real life stories of what happens when it all goes bad. Audiences love stories, so don’t drown them with statistics and a boring PowerPoint.

4. Don’t Make it Only About the Organization

Would you rather fold your own underwear or those of a random stranger? If you have any common sense (or knack for hygiene), you’d choose your own. Doing the laundry may not be the funnest part of your Sunday routine, but you know it is necessary because in the end, it directly impacts you. Forget to start the wash? You’re the one going commando. Dumped the basket of dress shirts on the floor and forgot about it? Monday is going to be stress with a side of wrinkles.

The point is, when something impacts us personally, we notice it quicker and invest in it more fully. Many keynote speakers on cyber threats ask you to fold someone else’s laundry–they only want you looking out for the good of the organization. They don’t give individual employees a “why” that impacts each of them personally.

In other words, Cybersecurity Awareness Month is not just about educating. It is about creating emotional buy-in. In order to be remotely effective, cyber education should come over the course of the entire year–not just one month dedicated to it. So why have a dedicated month at all? Because October serves as a national reminder about why this matters. It is the responsibility of your keynote speaker to 1) Get employees and executives passionate about protecting the data that drives your profits and 2) Illustrate how protection affects them personally first. If the individual doesn’t give half a load of laundry about defending their own private information, they sure as heck aren’t going to care about protecting the corporation’s information capital. By bridging the personal and the organizational, we can encourage personal buy-in that leaves the individual and the company better off for it.

So, if Pitfall #3 is an oversupply of content, then Pitfall #4 is having an inadequate reason to listen and take ownership in the first place.

5. Don’t Focus on Failure, Focus on the Future

When organizations and leaders only focus on what their people are doing wrong, those people are far less likely to embrace change. Employees want to feel like they are successfully contributing to the health and well-being of the company. So, if you approach cybersecurity education and awareness from a peripheral angle and point out what IS working and where you have thwarted attacks, individuals feel proud and therefore much more empowered to continue the momentum into the future. Cybercrime is already a negative topic, needlessly harping on past failures only depresses progress.

For example, in my cybersecurity keynote presentation, I make it a priority to point out how it is generally the human beings inside of any organization that catch fraud in process. Your people are your superheroes when it comes to data defense. You can have the greatest technological tools in the world, but if you don’t have a smart human wielding them, they are worth next to nothing. This approach is called Appreciative Inquiry, and it is an incredibly powerful tool in your arsenal of human cyber weapons. And it is generally missing from the average Cybersecurity Awareness Month playlist.

And with that in mind, here is the good news. YOU DON’T HAVE TO BE VICTIM TO THESE PITFALLS. I have witnessed hundreds of cybersecurity awareness month events in my two decades of keynoting events, and the leaders that understand and avoid these pitfalls don’t just create a better awareness event, they build a long-term cybersecurity culture. And that’s something that doesn’t come out in the wash.

_____________________________

John Sileo specializes in Cybersecurity Awareness Month 2022 keynote presentations that set your month, year and awareness program up for success. If you’d like to learn how John will customize his speech to your event, contact us directly on 303.777.322 or by filling out our friendly contact form.

Automotive Cybersecurity: Don’t Bank on Untrained “Drivers”

Would you send your newly licensed 16-year-old out to drive on the interstate without spending months teaching them safety skills and the rules of the road? I hope not! Even if their car had all of the latest safety technology – front and side airbags, auto-locking seatbelts, crash-warning sensors – and a low-deductible insurance policy, you still wouldn’t take the risk.

In other words, technology without training is completely useless. And the same is true of cybersecurity, whether you are running a local car dealership or a national automotive chain. And that matters because in the past two years, 85% of auto dealerships have reported being a victim of cybercrime. Let’s go back a step.

National Auto Dealers Association Highlights Hacking Among Auto Dealers

I recently spoke for the National Automobile Dealers Association (NADA). NADA is an American trade organization composed of nearly 16,500 franchised new car and truck dealerships. Each year, the folks at NADA gather business leaders to discuss the latest in industry innovation and shop thousands of new products and services from the industry’s top vendors and suppliers. In addition to showcasing exceptionally cool new concept cars, auto dealers are keenly aware of the rapid increase of cyberattacks targeting their privacy, profits and reputation.

This year, the NADA Show 2022 took place in the Las Vegas Convention Center. In addition to a keynote interview with Michael Strahan, the conference also featured a Distinguished Speaker Series, which had a fantastic roster of keynote speakers that included Col. Nicole Malachowski, Lt. Cdr. Jesse Iwuji, and myself. I was invited to chat about pressing automotive cybersecurity threats and solutions as they specifically relate to car dealers and the automotive industry.

Think about it – even corporate auto dealers like Toyota and Lexus aren’t immune to cyber threats. After 3.1 million pieces of consumer data were compromised in an automotive industry cyber attack that targeted Australia, Japan, Thailand and Vietnam, it was only going to be a matter of time before auto dealerships and manufacturers in the U.S. came under fire. And the industry is under attack for a very good reason.

Auto dealers handle a treasure trove of valuable customer data. And when you are as busy as dealers are with product supply chain issues, labor shortages and general entrepreneurship duties, cybersecurity can become just another item on a very long checklist. So let me give you a quick recap of the small business cybersecurity checklist I detailed during my presentation, The Art of Human Hacking: Social Engineering Self-Defense for Auto Dealers.

Automotive Cybersecurity Trending Cyber Attacks

Why are car dealerships coming under so much cyber fire? The COVID-19 pandemic accelerated a playing field that was already taking shape – the remote workforce. As the marketplace was forced into working remotely, many elements of a traditional dealership — like sensitive customer and financial data — were moved into the cloud so they could be accessed from outside the dealership. Cloud operations can be convenient, scalable and profitable. But they also open up backdoors into the dealership if cybersecurity isn’t built in from the beginning.

In essence, the auto industry has moved from a fortress model (where data is secured behind a centralized network protected by a moat, or perimeter security, like firewalls and VPN), to a widely distributed computing kingdom where data is accessed from the dealership itself as well as homes, remote offices, cafes, airports, hotels and conferences. That means that traditional defenses like anti-virus, firewalls and virtual private networks are no longer sufficient.

A second threat is the advent of supply chain attacks, where the cyber criminals hijack legitimate software that the dealer trusts and uses it to infect the entire network. SolarWinds, Casey and Loj4j are examples of this malicious attack vector. This is particularly damaging because there is no warning that the enemy has crossed the gate and is living in your systems.

But probably the most effective and pervasive form of attack is ransomware. Ransomware uses encryption to lock down every connected computer on your network, and then charges you a ransom to recover your data. When you don’t pay the ransom, the ransomware gangs leak your data and report you to the press and regulatory agencies to trigger expensive and reputation-damaging publicity.

The average cost to a dealer to regain their data is trending quickly upward. Though the average ransom payment is just over $150,000, a recent attack on Arrigo Automotive Group in West Palm Beach, Florida cost the dealerships approximately $500,000 in remediation. And that doesn’t account for reputation damage or lost revenue due to fleeing customers.

To make matters worse, the average downtime associated with an auto dealers cyber attack is 21 days long — three weeks’ worth of lost revenue as the icing on the bitter cyberattack cake. And since the Federal Trade Commission revealed there were 38,561 reported cases of identity theft related to auto loans and leases in 2019, it’s no surprise that over 80% of customers would choose to take their business elsewhere, leaving the compromised auto dealer behind.

Why Car Dealer Data is so Attractive to Hackers

Unfortunately, but rightly so, cybercriminals view unprepared auto dealers as poorly protected financial institutions. Because of the costs involved in purchasing an automobile, dealers collect data just like a bank does, from consumer identity and credit details to loan payment and banking information, not to mention demographics, online behaviors and more. But unlike a bank, the automotive industry is not government regulated, removing one powerful incentive for dealerships to implement safeguards.
Dealerships have a multitude of hacker entry points. Think about the variety of third-party partners and digital marketplaces with which dealers do business. Then consider the varied operating systems and software packages that finance, admin, sales and service utilize on a daily basis. Don’t forget the free guest WiFi access, the number of customers who have access to associates’ desks and the multiple locations they potentially service. Every one of those nodes is an entry point for a cybercriminal.
And most importantly, nearly half of American dealerships don’t have adequate automotive cybersecurity solutions, or even basic small business cybersecurity solutions, to defend these entry points. Only 49% of dealerships claim to have adequate protection against cyberattacks, while another 73% have yet to undergo automotive cybersecurity testing to fine-tune their incident response plans.

Auto Dealers and Small Business Cybersecurity Checklist

If auto dealers want to prevent an auto dealer cyber attack, the answer is not to simply build a technological fortress around their sensitive data. While advanced technology can certainly deter hackers, 91% of cyber attacks rely on social engineering — when a cybercriminal uses techniques such as phishing emails to gain access into an organization.

In other words, hackers always go after the humans first, because poorly trained employees and executives tend to be the weakest link in the cybersecurity chain. But they don’t have to be.

As auto dealerships of all sizes continue to navigate an evolving cybersecurity landscape, staff and employees must be treated as integral part of cyber defenses. To refuse to do so isn’t just costly, it’s like putting an inexperienced driver behind the wheel of a potentially harmful machine. If you own or operate an auto dealership business and are unsure if your organization is doing everything it can to fulfill the framework for automotive cybersecurity best practices, take a look at this small business cybersecurity checklist I recently shared with the attendees of the NADA Show 2022:

Does your dealership currently have cybersecurity defenses in place? Defenses include end-point protection, zero trust architecture, two-factor authentication, password managers, default deny firewalls and many other layered techniques.
Does your dealership have around-the-clock security monitoring to detect cyber threats? It is not enough to have the equipment, you also need to attend to the alerts when they arise.
Does your dealership understand the specific cyber risks impacting your industry, including but not limited to: malware, ransomware, supply chain attacks, brute force hacking, phishing, social engineering attacks and credential theft?
Has your dealership contracted with an external security vendor to conduct a risk assessment in the past 12 months?
Does your dealership periodically assess third-party partners and marketplaces to understand the risks they can pose to your business?
Does your dealership have established policies and procedures in place to protect your business information and systems?
Do you have a robust data backup and recovery response plan in case ransomware locks up your network?
Has your dealership conducted an incident response test in the past 12 months to ensure all procedures are accurate and effective?
Do your dealership employees know what to do in the event of a cyberattack or a loss of service?
Do you provide regular, engaging Security Awareness Training for your employees, executes and 3rd-party partners?

If you answered no to any of these questions, you are well advised to resolve those issues before they take down your business like they did mine. Make a call today to a cybersecurity expert you trust deeply who will help you build a framework to your dealership needs and then educate your people to become your strongest cybersecurity defense instead of your weakest, most exploitable link.

The Best Framework for Automotive Cybersecurity Best Practices

In today’s digital age, cybersecurity for automotive dealerships is just as mission-critical as it is for large banking institutions. It’s important to treat your customer data just like customers treat the precious cargo they transport in the cars you provide. The framework that I shared at NADA 2022 is called the Blockbuster Cybersecurity Framework. It includes 9 components with corresponding questions that help you analyze, organize and communicate the cybersecurity changes you need to make.

If you are unclear of how best to deploy a non-technical framework for moving forward, or need to improve your Security Awareness Training, consider bringing me in as a board advisor or keynote speaker who will energize and illuminate your cyber efforts and your people. Once I share my two-year battle with cybercrime and how I almost went to jail for taking my eye off the ball, your team will be motivated to make the necessary changes. Send me an inquiry today to learn more.

And no matter what, don’t send your employees out on the road without training them how to be a proactive, knowledgeable part of the solution.

Small Business Cybersecurity: 5 Steps to Stop Cybercrime

Small Business Cybersecurity Gone Terribly Wrong

On August 12, 2003, as I was just sitting down to a tea party with my daughters and their stuffed animals, the doorbell rang. Standing there when I opened the door was a special agent from the economic crimes unit at the district attorney’s office—ready to charge me for electronically embezzling (hacking) $298,000 from my small business customers. The DA’s office had enough digital DNA to put me in jail for a decade.

I was the victim of cybercrime, and I should have known better. You see, earlier that year my personal identity was stolen by cybercriminals out of my trash and sold to a woman in Florida. This woman purchased a home, committed a number of crimes, drained my bank accounts and filed for bankruptcy—all in my name. I learned all of this one day at the bank, right before I was escorted out by security guards.

The experience of losing my money, time and dignity motivated me to protect my personal information assets with a vengeance. Unfortunately, I didn’t apply my newfound cyber vigilance to my small business, which is how I ended up losing it.

Like a lot of small business owners, it never occurred to me that my $2 million company would be targeted by cyber criminals. I figured we weren’t worth the effort, especially compared to large multinational companies like Target, Marriott, Google and Facebook. My naivete cost me my family’s business and two years fighting to stay out of jail.

The fact is, cyber criminals are increasingly going after small and midsize businesses (SMBs) precisely because they are easier targets than larger organizations. According to the Ponemon Institute’s most recent Global State of Cybersecurity in Small and Medium-Sized Businesses report, 76 percent of small and midsize businesses experienced a cyber attack in the past 12 months. The same report found that only 28 percent of companies characterize their ability to mitigate threats, vulnerabilities and attacks as “highly effective.”

Not all hacking results in criminal charges being filed against the victim, as in my case, but that doesn’t mean there aren’t significant costs involved. According to last year’s Ponemon Institute study, companies spent an average of $1.43 million due to damage or theft of IT assets. On top of that, the disruption to their normal operations cost companies $1.56 million on average.

In other words, your organization’s chances are greater than 50/50 that it will suffer a serious cyber attack in the next year or so and that the attack will have a significant negative impact on profitability. The good news is that you can eliminate much of the risk with a reasonable budget and some good leadership.

5 Small Business Cybersecurity Strategies

In my experience, good entrepreneurs begin with the following steps:

Identify All data is not created equal. Bring together the key players in your business and identify the specific pieces of data, if lost or stolen, that would make a significant impact on your operation, reputation and profitability. This could be everything from customer credit card, bank account or Social Security numbers to valuable intellectual property.

Evaluate Understand your business’ current cyber security readiness. During this step, I recommend bringing in an external security firm to conduct a systems penetration test. A good Pen Test will give you a heatmap of your greatest weaknesses as well as a prioritized attack plan. Have a separate IT provider implement the remediation plan, if possible, to provide an objective check on the security firm’s work.

Assign Engage stakeholders from across your organization, not just those within IT. Assign a detail-oriented, tech-savvy leader other than yourself (if feasible) to oversee the analysis and implementation of your cyber strategy. Other players essential to this conversation are your lawyer and your accountant/auditor, who can help you build a breach response plan for when data is compromised. In today’s digital economy, theft and loss are part of business as usual and they should be planned for—like any other risk to your organization.

Measure Just as with any other business function, cyber security needs to be measured. Your security or IT provider should be able to suggest simple metrics—number of blocked hacking attempts (in your firewall), failed phishing attacks, days without a breach, etcetera—with which to keep a pulse on your data defense.

Repeat Each one of these steps should be re-evaluated and updated on a regular basis. I recommend taking a look at your security during your slowest season annually. Strong cyber security thrives in the details, and the details in this realm change every year.

The bottom line is that SMBs can no longer ignore the very real threat of cyber crime, including crime perpetrated by an insider (in 2018, 34 percent of data breaches involved internal actors and 2 percent involved partners). I learned both of these lessons the hard way. It takes an average of 73 days for organizations to contain an insider-related incident; my case dragged on for two years, during which I spent every day fighting to keep myself out of jail.

In the end, I found out the cyber criminal was my business partner. A man I loved and trusted like a brother stole and used my banking login credentials to embezzle from our clients; he used my identity to commit his cyber crimes. He exploited my trust and then he cut the rope and let me take the fall.

And I should have known better. So if you think your company is too small to be targeted or you’re too smart to be victimized, think again.

About Cyber security Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author and Hall of Fame Speaker who specializes in providing security-awareness training to small businesses as well as large organizations. He has shared his experiences on “60 Minutes,” “Anderson Cooper” — and even while cooking meatballs with Rachael Ray. John earned a BS with honors in political science from Harvard University.

Security Awareness Programs Like Mushy Overnight Oats?

To diagnose your under-performing cyber security awareness programs, all you need to do is look at my breakfast today. My daughter introduced me to overnight oats. “It’s the perfect breakfast, Dad – full of energy, takes no time at all, packed with simple, healthy ingredients like oatmeal, almond milk and peanut butter”, she said. “That’s what I need!”, I said, “All of the power with none of the fuss”. So I took her recipe and promptly ignored it. I added cottage cheese, chia and some lemon – because if it was already good, I was going to make it even better.

What I got was curdled mush that crawled out of the bowl like John Cusack’s dinner in Better off Dead. The theory of overnight oats was brilliant. It was my execution that made me gag.

Many security awareness programs choke on their own ingredients because, like my overnight oats, they don’t follow a recipe when they plan the program. The have no overarching security “end” in mind at the beginning, to paraphrase Stephen Covey. Empowering the human element of cyber security is the cultural ingredient that many organizations overlook. Think about tweaking your recipe a bit to make it more than palatable.

A Recipe for Effective Security Awareness Programs

One byproduct of serving as the opening keynote speaker for hundreds of security awareness programs around the world (in addition to the bottomless pit of mileage points I’ve earned), is that I have dined amidst training programs, OVER and OVER again, that leave me hungering for more substance and lots more flavor. Here is my simple recipe for a filling, enjoyable and effective Security Awareness Program:

Ingredients (For a Culture of Security that Cooks):

(1-3) C-Level Executive(s) who “Believe” (Ownership)
(1) Cross-Functional Business Case w/ Compelling ROI (Strategy)
High-Engagement Content Rooted in Personal Security (Methodology)
(6-12) Regular, Engaging Follow-on “Snacks” (Sustenance)
(1) Feedback Dashboard to Measure “Diner” Response (Metrics)

Ownership. Failing to have a highly-communicative Chief Executive leading your initiative is like expecting a 3-Star Michelin rating from a fast-food cook. You must have high-level “buy-in” for your program to work. I’m not talking about the CISO, CRO, CIO or CTO here – that would just be preaching to the choir. The missing cook in awareness programs tends to be a security “believer” from the executive team. Successful security awareness programs are clearly led, repeatedly broadcast and constantly emphasized from the top of the organization, all with an attitude of authenticity and immediacy. Whether served up by your CEO at an annual gathering or by your Board of Directors to kick off National Cyber Security Awareness Month, your security champion must become an evangelist for defending your data.

Strategy. Don’t expect to randomly add security ingredients to the bowl and blindly hope they mix well together. You’ll just end up with curdled oatmeal. Approach your program strategically, and devise a recipe to protect your intellectual property, critical data and return on information assets. You are competing for resources, so build a compelling business case that demonstrates the organization’s ROI in business terms, not buried in techno-babble. What did it cost your competitor when ransomware froze their operation for a week? How much would the training have cost to avoid the CEO whaling scheme that lost a similar-sized company $47 million? What do the owners of compliance, HR and I.T. have to add to the meal? The most successful security awareness programs have a budget, a staff (however small) and cross-departmental support. Involve the business team and other stakeholders up front to leverage their expertise before rollout.

Methodology. Here is a litmus test for the potential effectiveness of your security awareness program: Does it begin by focusing on the critical information assets and devices inside of your organization? If so, it’s probably doomed. Why? Because your employees are human beings and they want to know how this affects them personally before they willingly invest time to protect the corporate coffers. Excellent security awareness kicks off by making data protection personal – by building ownership before education. From there, the training must be engaging (dare I say fun!?) and interactive (live social-engineering) so that your audience members pay attention and apply what they learn. Death-By-PowerPoint slides will permanently put behavioral change to sleep. Highly-effective programs build a foundational security reflex (proactive skepticism), and are interesting enough to compete against cute puppy videos, smartphone farm games and our undying desire for a conference-room cat nap.

Sustenance. Best practice security awareness training, like a five-course meal, doesn’t end with the appetizer. Yes, kickoff is best achieved with a high-energy, personally relevant, in-person presentation that communicates the emotional and financial consequences of data loss. But that is only the beginning of the meal. From there, your team needs consistent, entertaining follow-up education to keep the fire alive. For example, we have found short, funny, casual video tips on the latest cyber threats to be highly effective. And lunch workshops on protecting personal devices. And incentive programs for safe behavior. And so on. Culture matures by feeding it consistently.

Measurement.If you don’t measure your progress (and actually demonstrate some), no one will fund next year’s dining budget. What are your Security Awareness Training KPIs, your key metrics? How did successful phishing attacks decline as a byproduct of your program? Has user awareness of threats, policy and solutions increased? How many employees showed up for the Cyber Security Awareness Month keynote and fair? How department-specific are your training modules – or does one size fit all? When you can show quantitative progress, you will have the backing to continue building your qualitative culture of security.

And now, back to the meal. In spite of the lemon juice that further curdled the cottage cheese and ruined my oats, I was still hungry, so I ended up choking them down, vowing to listen to my daughter next time. And I hope you will listen to me this time: Approach your security awareness program like you are planning a feast for guests who matter a great deal to you. Because your uneducated employees, unprotected customer data, and invaluable intellectual capital are exactly what cybercriminals are eating for breakfast.

What are the greatest gaps you see in Security Awareness Programs? Please share your brilliance below.

John Sileo loves his role as a keynote “energizer” for Cyber Security Awareness Programs. He specializes in making security fun, so that it sticks. His clients include the Pentagon, Schwab and some organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime.