• United States



Contributing writer

5 tips for globalizing security awareness training

Jun 05, 20197 mins
IT SkillsSecurity

Global organizations face particular cultural and linguistic challenges when it comes to awareness training. Here's how 2 companies met that challenge and what you can learn from their experience.

CSO > global security
Credit: Rick Jo / Getty Images

If there’s one lesson to be learned from the way authentication company Okta approaches international security training, it’s that bad actors are everywhere.

Phishing emails, password sprays, man-in-the middle attacks — no matter what country the hacker is in, a threat is still a threat. “If you don’t have a strong password that’s coupled with a multifactor authentication and…policies in the background to protect the account,” Okta CSO Yassir Abousselham says, “then there’s increased risk to that account and really that’s location agnostic.”

The way global employees learn about security best practices often is not location agnostic, however. Country can impact which information they should receive and how they receive it. Awareness efforts might need to be in a different language. In the end, there is no single rule: How security teams approach international awareness truly depends on an individual business’s needs.

Here, Okta and constrution company Finning International share their best practices for globalizing security awareness programs. Though the two companies take starkly different approaches, what they have in common is the need to multi-nationally convey urgent information and the fact that neither company can do this without help.

Share responsibility

At Okta, this help comes from other business departments. From the United States to Australia, every employee receives the same baseline security training: online courses, quiz assessments and instructor-led role play. “My office handles content,” Abousselham says. From there, the company’s legal team reviews any privacy related lessons to ensure they are current, accurate and comprehensive. Legal is also in charge of organizing updates and, Abousselham adds, “interpreting the law and the regulations for us in a way that is more digestible for our employees.” GDPR-related training is not customized by country. Rather, global employees all receive the highest level required.

From there, he continues, “HR is responsible for obviously everything around logistics.” Human resources sets up times and makes sure every employee takes compliance courses as required. Additional training might follow, depending on staff department. As a final step, facilities management hangs awareness posters in the offices’ elevators and kitchens.

Appoint ambassadors

At Finning, diverse departments do chip in, but security education is personal. When IT Risk and Compliance Lead Nickolas Hilderman joined the company in 2016, he says, “Our company was going through some transformation” and CISO Suzie Smibert wanted to edify users more. So she asked Hilderman to develop an awareness program and together, he adds, “We said, ‘Let’s build upon what’s good and let’s make it amazing.’”

The company then commissioned a group of ambassadors — individuals from each department across all countries who care about cybersecurity and voluntarily champion awareness by forwarding security newsletters to colleagues, speaking up for infosec at team meetings, and hanging posters. As their numbers grew, Hilderman says the security department shifted these volunteers to an incentive program, “reward[ing] them based on the merits that they’ve done.” In 2018, 75 to 100 ambassadors advocated across the seven countries where Finning operates.

Provide clarity

Okta works in seven countries, too, but only one language. “We’re a US-based company,” Abousselham says, explaining that all transactions and meetings are in American English, “even when we talk to our European counterparts.”

Finning’s chief corporate language is also English, but unlike Okta, Hilderman says the company translates everything: posters, newsletters, “It’s all in Spanish, you bet.” In the past, an ad agency did the work. Bilingual employees help out today. “[Misunderstandings] can hamper progress of initiatives if clarity is lacking,” he explains. So, for less than 500 Canadian dollars a year, translation provides that clarity.

It’s also saved the company more than $300,000 to $400,000: After executing a bilingual phishing campaign, the company’s South American controller received a fake CFO phishing email but caught the threat. Global company click-through rates also improved from below industry average to above.

Practice cultural awareness

Finning also adapts campaign imagery and cultural references to ensure non-Canadian staff get the correct message. Take online shopping risks, for example, which often increase when North American employees hit Cyber Monday sales at work. Any awareness campaign of this nature has to take into account the fact that popular shopping holidays change with the country.

Even when referenced holidays or events are more global —such as Christmas — Hilderman points out the message conveyed may still need to change: “Say we have a something like a Christmas tree on the poster. [In December,] South America is in summer, so they look at us and go, ‘What are you talking about? We’re on the beach.’” Or — going back to those phishing campaigns — educating staff to flag fake alerts from the Canadian Revenue Agency versus its U.S. counterpart, the Internal Revenue Service.

For Finning, delivery had to shift by country as well. Before Hilderman and Smibert revamped their program, infosec managed security education through a company intranet “that Canada only could access,” Hilderman says. “So, I saw that and went, ‘Oh my goodness, what are we doing?’ And so we rebuilt it,” shifting the information to an internationally available SharePoint URL. Okta’s online courses are also globally available, provided through a third-party delivery vendor that, in some cases, Abousselham’s team selects.

Customize training by role

Okta may not localize its security education by culture or by language, but it does customize training another way: by job role. “The more serious attackers are focused,” Abousselham says, so after the baseline courses are completed, continued awareness must be [focused] as well. Bad actors don’t care which country the controller is in; they just want the money, and to get it, he explains, “They do target someone based on their job roles.” So the company takes a position-specific approach. Financial staff receive custom instruction on phishing emails like the one Finning’s controller received. Engineering team members learn how to more securely deploy and create code, as well as updates on threats to Okta’s web application.

The company doesn’t have any financial staff outside the U.S., but sales, HR, IT and marketing workers are in all seven countries. Where these employees work does affect company security — if not from an awareness standpoint, then from an authentication one. Compared to authorization, which ensures only the right people can log into an account or application, authentication governs access permission once inside. This may seem location agnostic — the sales guy doesn’t need to be in company bank accounts no matter where he is — but when team members travel, it makes a difference.

“If someone is trying to connect, let’s say, from Nigeria,” Abousselham explains, “then you need to apply this policy as opposed to if they’re trying to connect from an IP address or location that I’ve seen before.” Non-U.S. logins could be attacks or they could be global workers. Granted, setting up country-specific policies has less to do with security awareness and more with security itself, but international operations mean international travel. Employees need education on when to relay where they’ll be — especially staff in Europe, who may go between countries as often as American employees travel between states.

In the end, though, Abousselham says, “Whether the employee is in the U.S. or an international office, the threat is exactly the same.” What isn’t is how security prepares the rest of the company for it.