Security Awareness Solutions at a Glance
By Mike Saurbaugh
To each his own philosophy as to whether this mindset is believable and sincere. Granted, satisfying the security awareness checkbox doesn’t lead to behavioral change and yields very little value-add back to the company. What’s interesting, and not surprising, is that security awareness solutions aren’t dissolving in the sea of technical security enhancements. Instead companies are paying more attention to managing an effective security awareness program with the goal of changing employee behavior that is measurable, and sustainable.
Over the past few years this observation has become more noticeable with vendors entering in this space. Furthermore there have been partnerships formed with technical security solutions collaborating with security education vendors.
In the past few months PhishMe and FireEye announced a partnership as well as RSA, The Security Division of EMC, partnered with Wombat Security. Clearly technical solution providers see the value in partnering with security education to create holistic security offerings.
Not surprisingly, the number of security awareness solution providers are not fading away. There has been increased interest in companies seeking to do more than just check a compliance box. So who are the security awareness vendors in this space? Do their offerings integrate with learning management systems (LMS) or are they SaaS solutions? In alphabetical order, and with no particular bias, a brief summary of solution providers is outlined below to help companies in their search.
- Apozy – San Francisco-based, Apozy, offers a solution, like many others, education through gaming. Apozy’s approach is to play games to stop hackers. While a lofty goal, Apozy hopes that by engaging employees through SaaS gamification, employees will learn while having fun at the same time.
- InfoSec Institute – InfoSec Institute was founded in 1998 and offers a significant amount of certification training as well as security awareness training materials. The InfoSec Institute can provide on-premise web-based training as well as integration into a SCORM-compliant Learning Management System. If preferred, the InfoSec Institute will conduct instructor-led training for organizations.
- Inspired eLearning – Inspired eLearning offers a wide range of services and course from phishing, privacy, GLBA, PCI and security awareness. The Inspired eLearning system leverages their iLMS (Inspired Learning Management System) which is SCORM compliant. In addition, their LMS supports upwards of 21 languages and scales well into the thousands with Fortune 500 companies. Additionally, they offer course access in a SaaS or local deployment model. Inspired’s phishing offering, PhishProof, allows for spear phishing simulation and tracks attributes such as the IP address of the employee if the link is clicked. The initial assessment is free. There are over 30 fully customizable email templates with much of the management, design, and maintenance handled by Inspired’s staff. Inspired also offers short, under 8-minute training videos that are tablet compatible as well. It would be worth inquiring with Inspired eLearning as to the frequency of their content refresh rate. Some competitors refresh content every 6 months to ensure the latest is included. Lastly, Inspired eLearning’s breadth of offerings includes non-security content such as HR and ethics, which could be seen as a weakness compared to pure security companies.
- KnowBe4 – KnowBe4 offers security awareness education solutions as well as vulnerability scanning and other services. Most recently, KnowwBe4 launched their Compliance Manager offering which can assist in security awareness compliance mandates as well as additional regulatory requirements. KnowBe4’s web-based awareness offering can be done in 30-40 minute sessions or condense, 15-minute versions. Once complete the administrative portal allows for social engineering-based phishing assessments which can be done frequently or spread out over time.
- MAD Security – MAD Security offers a suite of security awareness services. The services range from cloud-based hosting to an on-premise deployment addressing holistic security training. Phishing is one aspect and would be part of a larger set of social engineering assessments as well as vulnerability and penetration testing. MAD Security can also conduct on-site consulting engagements and seeks to provide a pure security offering that focuses on changing behavior. One example is MAD Security’s WISE training platform. MAD Security’s behavior-changing focus is backed by their expertise in human behavior and understanding more about people so that they awareness program can be tailored appropriately.
- PhishLine – PhishLine is a SaaS offering that seeks to also identify weaknesses in not only the people clicking links, but some of the technology deployed. PhishLine is able to uncover potential browser and network vulnerabilities and the devices used as well as the end-user assessment. PhishLine also offers consulting services to complement their solution in the event internal resources are strapped. PhishLine can also simulate text, voice, and portable media assessments in addition to the traditional email phishing. In addition to clicking links, PhishLine detects credentials that may be submitted in spoofed web forms. PhishLine does not appear to be as well-known compared to companies such as PhishMe, ThreatSim and Wombat, when it comes to phishing education.
- PhishMe – PhishMe provides a best-in-class, industry-recognized SaaS phishing training offering and with former members of Mandiant. PhishMe has recently partnered with FireEye to blend education and technology. PhishMe is best known for their phishing awareness program and its effectiveness, efficiency, and reporting. As a phishing awareness program, PhishMe also offers an Outlook add-on, Phish Reporter, to be used by employees when they suspect a phishing email. This is helpful for tracking as well as also identifying email which has evaded the corporate gateway controls. Security teams can use the information from Phish Reporter to implement countermeasures. While PhishMe is not focusing on every aspect of security awareness, they are the leader in phishing education and addressing one of the greatest threats organizations face today. PhishMe provides immediate feedback when a user clicks a phishing link with in-depth reporting capabilities. Companies are able to see firsthand the amount of time employees are spending on the in-the-moment training. In addition, PhishMe offers a wide range of templates to use in order to customize the campaign. PhishMe continues to lead the way in phishing awareness which has eclipsed over 4 million people worldwide.
- Rocket Ready – Rocket Ready offers web-based training that can be on-premise within the organization. Rocket Ready touts a scalable training offering without the need to have a Learning Management System. Rocket Ready offers social engineering audits which would line up with phishing assessments, albeit Rocket Ready offers a larger suite of services other than phishing and social engineering.
- Securing the Human – Securing the Human is part of SANS, a highly reputable security training and certification body recognized throughout the world. Securing the Human offers training modules, refreshed semi-annually, that can be incorporated into an organization SCORM-compliant Learning Management System. Or, organizations can take advantage of Securing the Human’s hosted solution to achieve awareness objectives. SANS Securing the Human offers one of the more holistic solutions and has started covering areas such as utilities and the ever crucial, software developer awareness. Lastly, Securing the Human has been known to provide some outstanding free resources. (Full disclosure, the author is a contributing member for Securing the Human).
- Security Mentor – Security Mentor offers web-based training that can exist within a SCORM-compliant Leaning Management System or a hosted service on Security Mentor’s servers. The monthly sessions are 10-12 minutes in length.
- Terranova – Terranova offers security awareness training as well as offerings for privacy and compliance. Terranova allows for SCORM-compliant Learning Management System integration or a hosted offering as well as an Intranet-based offering for organizations wishing to maintain training internally.
- ThreatSim – ThreatSim’s SaaS offering provides spear phishing simulation for file attachment, drive-by, and data entry assessments. Vulnerable endpoints are also identified during the campaigns, which can be from the provided templates or through the creation by the administrator. In addition to vulnerable plugins, ThreatSim’s reporting dashboard will illustrate OS (including mobile), browser, and of course the compromise and reported states. Like other vendors, ThreatSim provides additional training (SpearTraining) to help provide meaningful information to change behavior. ThreatSim claims a 70% reduction in user compromise after their training and services. Lastly, as an added benefit, ThreatSim allows for the management of the service to employ two-factor authentication.
- Wombat Security – Wombat Security is another highly respected security awareness company with many of the founders coming from Carnegie Mellon University and initial funding from the National Science Foundation and Department of Defense. Wombat Security offers training in a cloud-based offering and with integration into SCORM-compliant Learning Management Systems. Additionally, Wombat Security’s program is 508-compliant to provide training for visually, hearing, or learning disabilities. In mid-summer 2013, Wombat and RSA, The Security Division of EMC, announced a relationship aimed at merging technology and education.
Choosing security awareness solutions is only a piece of the requirement. A solution is only as good as the effort involved in managing a security awareness program. Assuming an organizational security culture and foundation has been built; companies are then able to seek solutions and resources to mature their program.