{"id":5113,"date":"2020-02-19T09:26:04","date_gmt":"2020-02-19T17:26:04","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=5113"},"modified":"2023-06-25T12:36:40","modified_gmt":"2023-06-25T19:36:40","slug":"how-microsoft-is-transforming-its-approach-to-security-training","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/how-microsoft-is-transforming-its-approach-to-security-training\/","title":{"rendered":"How Microsoft is transforming its approach to security training"},"content":{"rendered":"

\"MicrosoftIn a defining moment, Microsoft employees did the right thing.<\/p>\n

Ken Sexsmith recalls waiting quietly outside a conference room for a meeting about a new approach for promoting the annual security training at Microsoft. Earlier that day, his team, which is responsible for enterprise-wide digital security education, training, and awareness, was running a company-wide phishing simulation. While waiting for his meeting, Sexsmith overheard some employees questioning the validity of the phishing email.<\/p>\n

One of them recalled a recent training and said, \u201cMaybe we need to report it?\u201d<\/p>\n

\u201cIt was a lightbulb moment,\u201d says Sexsmith, director of Security Education and Awareness in Microsoft Digital. \u201cIt was so encouraging to see how employees started talking about the email and knew precisely what to do. It was a highlight of our year.\u201d<\/p>\n

Getting to the point where employees recognize phishing emails did not occur overnight. Although Microsoft\u2019s sophisticated anti-phishing technology helps protect customers and employees from targeted phishing campaigns, Microsoft employees still need to stay one step ahead of evolving security threats. To help them get there, Sexsmith set out to change how employees think and learn about security.<\/p>\n

\u201cWe are on the frontlines of driving digital transformation through behavior and culture change,\u201d says Sexsmith, who says lessons Microsoft learns internally are shared externally with the company\u2019s customers.<\/p>\n

[<\/em>Learn how Microsoft implemented a Zero Trust security model<\/em><\/a>.]<\/em><\/p>\n

Sexsmith\u2019s team wants to start a movement where everyone wants to be a part of the company\u2019s security story; their goal is to make security personal and change ingrained behaviors.<\/p>\n

\u201cWe had to win over the hearts and minds of employees,\u201d Sexsmith says. \u201cWe had to flip traditional compliance training on its head to make security more engaging, relatable, and fun, but also emphasize the importance of employees using best practices and being responsible for security.\u201d<\/p>\n

Employees seeking out new security training <\/strong><\/p>\n

Sexsmith\u2019s team created an engaging, interactive Security Foundations training that uses real-life examples of security threats that have affected Microsoft employees and teams. The training also features a local well-known actor and podcast host that employees can relate to. In its first year, nearly 63 percent of employees across the company took the training. Some employees thought the training was so great that they asked if they could share it with their family and friends.<\/p>\n

\u201cA lot of effort and energy was put into making training a more enjoyable experience while helping people not only build the proper skills, but retain the skills they learned,\u201d says Erin Csonaki, an education and awareness program manager in Microsoft Digital who runs enterprise-wide training.<\/p>\n

Coupled with phishing simulations and ongoing digital campaigns that highlight the digital security team\u2019s strategy to keep the company and its data safe, the training helps employees learn about security risks and build skills that they can apply on a day-to-day basis.<\/p>\n

Proof that it\u2019s working? The once-optional Security Foundations training is now required for all Microsoft employees. The revamped training received an extremely positive response from employees and even won an external Telly Award<\/a>.<\/p>\n

\u201cBecause we had favorable feedback, we\u2019ve gained credibility and can continue to push the envelope around the way we launch training this year,\u201d Csonaki says.<\/p>\n

Whether the team is running a highly technical training for engineers or an awareness campaign for Cybersecurity Awareness Month, Csonaki says that it\u2019s important to communicate the relevance of this training in their day-to-day work. For example, the Security Foundations training emphasizes never letting your guard down when handling email, posting on social media, or connecting to a public wireless network.<\/p>\n

\u201cA key for us is making it personal,\u201d Sexsmith says. \u201cThe same things you do at home to secure your family are the same things you do at Microsoft. Your technology is vulnerable, and it only takes one minute for someone to take control of your device.\u201d<\/p>\n

Reinforcing learning year-round<\/strong><\/p>\n

Along with trainings, the team creates employee awareness about what phishing and other security threats could look like and provides guidance on how employees should respond. For example, Sexsmith\u2019s team creates phishing simulations that are based on real, previously reported incidents.<\/p>\n

Blythe Price, an education and awareness program manager on Sexsmith\u2019s team, is responsible for the Phishing Education and Awareness program, which exposes employees to the experience of being phished and provides prevention education and reporting guidance.<\/p>\n

\u201cIf an employee falls for the simulation and enters data or opens an attachment, an education moment is served up,\u201d Price says. \u201cThis reinforces the best practices for spotting phishing, which is discussed in the Security Foundations training.\u201d<\/p>\n

The phishing scenario also teaches employees how to respond to security risks using the \u201cReport Message\u201d button in Outlook or in Microsoft\u2019s internal security reporting channel.<\/p>\n

\u201cIf it\u2019s not quick and easy to report, a user may decide it\u2019s not worth their time and abandon ship,\u201d Price says. \u201cYou also have to make sure that the reporting mechanisms are where they are meant to be, whether it’s on a desktop or mobile browser.”<\/p>\n

Learning moments from simulations and trainings are reinforced through ongoing awareness campaigns that align with events like National Cybersecurity Awareness Month or certain holidays. This ensures that the conversation about security is front and center for employees.<\/p>\n

\u201cYou don\u2019t have to know everything,\u201d Sexsmith says. \u201cYou just have to know when to pause before entering your credentials and ask, \u2018Am I moving too fast?\u2019 That\u2019s the change that we\u2019re driving.\u201d<\/p>\n

Understanding the culture of an organization<\/strong><\/p>\n

For other teams or organizations interested in changing the way they approach security training, Price suggests evaluating what resonates with employees and adjusting accordingly. Price also attributes her team\u2019s success to their emphasis on the \u201cwhy\u201d behind each training or awareness campaign. This has helped employees understand the importance of their participation.<\/p>\n

\u201cInstead of snapping to a model, it\u2019s important to know the culture,\u201d Price says. \u201cDon\u2019t be afraid to take chances if something isn\u2019t working.\u201d<\/p>\n

Regardless of how you educate employees about security, it should be a two-way dialogue.<\/p>\n

\u201cIt can be challenging, but it\u2019s also a good opportunity to listen to what\u2019s resonating with employees, and balance it with what\u2019s needed from a security perspective,\u201d Price says.<\/p>\n

Sexsmith knows that his team\u2019s approach to security training and awareness can\u2019t rest on its laurels.<\/p>\n

\u201cI have a vision of continued evolution,\u201d Sexsmith says. \u201cI often challenge people to think differently, and that\u2019s what got us here.\u201d<\/p>\n

\"Related<\/p>\n