If there\u2019s one lesson to be learned from the way authentication company Okta approaches international security training, it's that bad actors are everywhere.Phishing emails, password sprays, man-in-the middle attacks \u2014 no matter what country the hacker is in, a threat is still a threat. \u201cIf you don't have a strong password that's coupled with a multifactor authentication and...policies in the background to protect the account,\u201d Okta CSO Yassir Abousselham says, \u201cthen there's increased risk to that account and really that\u2019s location agnostic.\u201dThe way global employees learn about security best practices often is not location agnostic, however. Country can impact which information they should receive and how they receive it. Awareness efforts might need to be in a different language. In the end, there is no single rule: How security teams approach international awareness truly depends on an individual business\u2019s needs.Here, Okta and constrution company Finning International share their best practices for globalizing security awareness programs. Though the two companies take starkly different approaches, what they have in common is the need to multi-nationally convey urgent information and the fact that neither company can do this without help.Share responsibilityAt Okta, this help comes from other business departments. From the United States to Australia, every employee receives the same baseline security training: online courses, quiz assessments and instructor-led role play. \u201cMy office handles content,\u201d Abousselham says. From there, the company\u2019s legal team reviews any privacy related lessons to ensure they are current, accurate and comprehensive. Legal is also in charge of organizing updates and, Abousselham adds, \u201cinterpreting the law and the regulations for us in a way that is more digestible for our employees.\u201d GDPR-related training is not customized by country. Rather, global employees all receive the highest level required.From there, he continues, \u201cHR is responsible for obviously everything around logistics.\u201d Human resources sets up times and makes sure every employee takes compliance courses as required. Additional training might follow, depending on staff department. As a final step, facilities management hangs awareness posters in the offices\u2019 elevators and kitchens.Appoint ambassadorsAt Finning, diverse departments do chip in, but security education is personal. When IT Risk and Compliance Lead Nickolas Hilderman joined the company in 2016, he says, \u201cOur company was going through some transformation\u201d and CISO Suzie Smibert wanted to edify users more. So she asked Hilderman to develop an awareness program and together, he adds, \u201cWe said, \u2018Let's build upon what's good and let's make it amazing.\u2019\u201dThe company then commissioned a group of ambassadors \u2014 individuals from each department across all countries who care about cybersecurity and voluntarily champion awareness by forwarding security newsletters to colleagues, speaking up for infosec at team meetings, and hanging posters. As their numbers grew, Hilderman says the security department shifted these volunteers to an incentive program, \u201creward[ing] them based on the merits that they've done.\u201d In 2018, 75 to 100 ambassadors advocated across the seven countries where Finning operates.Provide clarityOkta works in seven countries, too, but only one language. \u201cWe're a US-based company,\u201d Abousselham says, explaining that all transactions and meetings are in American English, \u201ceven when we talk to our European counterparts.\u201dFinning\u2019s chief corporate language is also English, but unlike Okta, Hilderman says the company translates everything: posters, newsletters, \u201cIt\u2019s all in Spanish, you bet.\u201d In the past, an ad agency did the work. Bilingual employees help out today. \u201c[Misunderstandings] can hamper progress of initiatives if clarity is lacking,\u201d he explains. So, for less than 500 Canadian dollars a year, translation provides that clarity.It\u2019s also saved the company more than $300,000 to $400,000: After executing a bilingual phishing campaign, the company\u2019s South American controller received a fake CFO phishing email but caught the threat. Global company click-through rates also improved from below industry average to above.Practice cultural awarenessFinning also adapts campaign imagery and cultural references to ensure non-Canadian staff get the correct message. Take online shopping risks, for example, which often increase when North American employees hit Cyber Monday sales at work. Any awareness campaign of this nature has to take into account the fact that popular shopping holidays change with the country.Even when referenced holidays or events are more global \u2014such as Christmas \u2014 Hilderman points out the message conveyed may still need to change: \u201cSay we have a something like a Christmas tree on the poster. [In December,] South America is in summer, so they look at us and go, \u2018What are you talking about? We're on the beach.\u2019\u201d Or \u2014 going back to those phishing campaigns \u2014 educating staff to flag fake alerts from the Canadian Revenue Agency versus its U.S. counterpart, the Internal Revenue Service.For Finning, delivery had to shift by country as well. Before Hilderman and Smibert revamped their program, infosec managed security education through a company intranet \u201cthat Canada only could access," Hilderman says. "So, I saw that and went, \u2018Oh my goodness, what are we doing?\u2019 And so we rebuilt it," shifting the information to an internationally available SharePoint URL. Okta\u2019s online courses are also globally available, provided through a third-party delivery vendor that, in some cases, Abousselham\u2019s team selects.Customize training by roleOkta may not localize its security education by culture or by language, but it does customize training another way: by job role. \u201cThe more serious attackers are focused,\u201d Abousselham says, so after the baseline courses are completed, continued awareness must be [focused] as well. Bad actors don\u2019t care which country the controller is in; they just want the money, and to get it, he explains, \u201cThey do target someone based on their job roles.\u201d So the company takes a position-specific approach. Financial staff receive custom instruction on phishing emails like the one Finning\u2019s controller received. Engineering team members learn how to more securely deploy and create code, as well as updates on threats to Okta\u2019s web application.The company doesn\u2019t have any financial staff outside the U.S., but sales, HR, IT and marketing workers are in all seven countries. Where these employees work does affect company security \u2014 if not from an awareness standpoint, then from an authentication one. Compared to authorization, which ensures only the right people can log into an account or application, authentication governs access permission once inside. This may seem location agnostic \u2014 the sales guy doesn\u2019t need to be in company bank accounts no matter where he is \u2014 but when team members travel, it makes a difference.\u201cIf someone is trying to connect, let's say, from Nigeria,\u201d Abousselham explains, \u201cthen you need to apply this policy as opposed to if they're trying to connect from an IP address or location that I've seen before.\u201d Non-U.S. logins could be attacks or they could be global workers. Granted, setting up country-specific policies has less to do with security awareness and more with security itself, but international operations mean international travel. Employees need education on when to relay where they\u2019ll be \u2014 especially staff in Europe, who may go between countries as often as American employees travel between states.In the end, though, Abousselham says, \u201cWhether the employee is in the U.S. or an international office, the threat is exactly the same.\u201d What isn\u2019t is how security prepares the rest of the company for it.