5 tips for globalizing security awareness training

Appoint ambassadors

At Finning, diverse departments do chip in, but security education is personal. When IT Risk and Compliance Lead Nickolas Hilderman joined the company in 2016, he says, “Our company was going through some transformation” and CISO Suzie Smibert wanted to edify users more. So she asked Hilderman to develop an awareness program and together, he adds, “We said, ‘Let’s build upon what’s good and let’s make it amazing.’”

The company then commissioned a group of ambassadors — individuals from each department across all countries who care about cybersecurity and voluntarily champion awareness by forwarding security newsletters to colleagues, speaking up for infosec at team meetings, and hanging posters. As their numbers grew, Hilderman says the security department shifted these volunteers to an incentive program, “reward[ing] them based on the merits that they’ve done.” In 2018, 75 to 100 ambassadors advocated across the seven countries where Finning operates.

Provide clarity

Okta works in seven countries, too, but only one language. “We’re a US-based company,” Abousselham says, explaining that all transactions and meetings are in American English, “even when we talk to our European counterparts.”

Finning’s chief corporate language is also English, but unlike Okta, Hilderman says the company translates everything: posters, newsletters, “It’s all in Spanish, you bet.” In the past, an ad agency did the work. Bilingual employees help out today. “[Misunderstandings] can hamper progress of initiatives if clarity is lacking,” he explains. So, for less than 500 Canadian dollars a year, translation provides that clarity.

It’s also saved the company more than $300,000 to $400,000: After executing a bilingual phishing campaign, the company’s South American controller received a fake CFO phishing email but caught the threat. Global company click-through rates also improved from below industry average to above.

Practice cultural awareness

Finning also adapts campaign imagery and cultural references to ensure non-Canadian staff get the correct message. Take online shopping risks, for example, which often increase when North American employees hit Cyber Monday sales at work. Any awareness campaign of this nature has to take into account the fact that popular shopping holidays change with the country.

Even when referenced holidays or events are more global —such as Christmas — Hilderman points out the message conveyed may still need to change: “Say we have a something like a Christmas tree on the poster. [In December,] South America is in summer, so they look at us and go, ‘What are you talking about? We’re on the beach.’” Or — going back to those phishing campaigns — educating staff to flag fake alerts from the Canadian Revenue Agency versus its U.S. counterpart, the Internal Revenue Service.

For Finning, delivery had to shift by country as well. Before Hilderman and Smibert revamped their program, infosec managed security education through a company intranet “that Canada only could access,” Hilderman says. “So, I saw that and went, ‘Oh my goodness, what are we doing?’ And so we rebuilt it,” shifting the information to an internationally available SharePoint URL. Okta’s online courses are also globally available, provided through a third-party delivery vendor that, in some cases, Abousselham’s team selects.

Customize training by role

Okta may not localize its security education by culture or by language, but it does customize training another way: by job role. “The more serious attackers are focused,” Abousselham says, so after the baseline courses are completed, continued awareness must be [focused] as well. Bad actors don’t care which country the controller is in; they just want the money, and to get it, he explains, “They do target someone based on their job roles.” So the company takes a position-specific approach. Financial staff receive custom instruction on phishing emails like the one Finning’s controller received. Engineering team members learn how to more securely deploy and create code, as well as updates on threats to Okta’s web application.

The company doesn’t have any financial staff outside the U.S., but sales, HR, IT and marketing workers are in all seven countries. Where these employees work does affect company security — if not from an awareness standpoint, then from an authentication one. Compared to authorization, which ensures only the right people can log into an account or application, authentication governs access permission once inside. This may seem location agnostic — the sales guy doesn’t need to be in company bank accounts no matter where he is — but when team members travel, it makes a difference.

“If someone is trying to connect, let’s say, from Nigeria,” Abousselham explains, “then you need to apply this policy as opposed to if they’re trying to connect from an IP address or location that I’ve seen before.” Non-U.S. logins could be attacks or they could be global workers. Granted, setting up country-specific policies has less to do with security awareness and more with security itself, but international operations mean international travel. Employees need education on when to relay where they’ll be — especially staff in Europe, who may go between countries as often as American employees travel between states.

In the end, though, Abousselham says, “Whether the employee is in the U.S. or an international office, the threat is exactly the same.” What isn’t is how security prepares the rest of the company for it.