User awareness is an important, but an often-overlooked component of your cyber security program. Statistics show that between 70 and 80 percent of all cyber security breaches emanate from some form of user behavior. One of my favorite lines “the greatest vulnerability sits between the chair and the keyboard” was true in 2008 and is no less true today.
Creating a Culture of Security Awareness
So how do we reduce the risk of user error and vulnerabilities? Implementing a security awareness program is a necessary activity. However, instilling a culture of security is the most effective method for reducing user risk. According to a recent SANS institute report, the greatest challenges impacting organizations around security awareness are time and communication. The lack of dedicated resources (time) is a key blocker, as many organizations think of security awareness as an afterthought or a compliance concern. Few have dedicated resources to a security awareness program but allocate those responsibilities as ancillary duties to their information technology team. Communication is another challenge. How, how often, and in what form, does your organization deliver their security message? If it is only through online security awareness training, your program is likely failing.
Before you begin transforming your company’s security awareness, you need to define your current awareness maturity level:
Baseline and Metrics
Before developing your program you must establish a reasonable baseline as to where the organization stands. The best way that I have found to do this is to run a few internal phishing campaigns, capture and analyze that data. This should include at least two metrics that matter, total click rate, and from that data should come the second metric around the percentage of people that provide credentials. These data points should provide a pretty good optic on the security awareness maturity of your organization.
Set your goals and objectives based on the results of the aforementioned baselining activities. For example. If your internal phish indicates a click rate of 25% and a secondary credential compromise of 50% (of that 25%) then your goal could be to reduce those numbers to less than 10%.
Executive leadership must buy-in to the program and take an active role in its implementation. This could be in the form of a monthly security newsletter authored by an executive. Regular security messaging, visible participation in security training, etc. displays a security mindset from the top, and is the best way to influence culture.
It should be stressed that information security is not only the responsibility of the Information Technology and Information Security teams but also of every member of the organization. This can be emphasized through the executive messaging, newsletters, etc. Security awareness is not your annual online security awareness training but a continual program that might include that training coupled with other activities.
In my opinion, online training is generally not very good. It is hard to hold an employee’s attention during online sessions. How many times have you gone through one of these sessions while you were answering emails, taking phone calls, etc. I know that I am guilty of this more times that I care to admit. Also, online training tends to become “check the box training,” meaning you have a requirement and the online training satisfies that requirement. All this being said, online training is the most prevalent means of providing security awareness today. In addition to the online training, I would include stand and deliver (in person training) as well. In person training from an engaging instructor increases the likelihood that your employees will remain engaged, provides the ability to give real life examples from recent events, allows for questions and answers, etc.
Encouraging participation and employee buy-in is an important aspect. Soliciting employee ideas, encouraging feedback, including recent event (breaches, scams, etc.), utilizing real life stories, and an engaging presenter helps to ensure employee participation.
Soft skills, the ability to communicate effectively, are critical to increasing the employee buy-in to your program. However, information security often is left to the IT department. In my experience, technologists are generally not the best communicators. Entities should look for effective communicators to deliver training and security specific messaging. This could be someone from HR, legal, or some other team in the organization. In addition to a more effective messenger, it also demonstrates that the security mindset is endemic across the organization, thus enhancing the culture of security. Also, the organization might consider bringing in outside expertise.
Another way to ensure engagement with your users is to relate the training to their personal computer usage. Virtually everything that we might discuss from a corporate information security perspective translates directly to personal information security. The security culture should extend beyond the workplace and into the everyday life of your employees.
Reinforce the Message
As stated, building a security posture is a continuous process encompassing all of the aspects discussed above. Training should include both online and in person. The training should be reinforced with messaging from senior leadership about security best practices, praise for employees who operate securely, and maybe even some kind of award system for employees or teams that perform best during awareness testing.
Finally, continue to measure your program. The internal phishing tactic mentioned earlier should be a regular part of your program. The two metrics (click rate and credential compromise) are good metrics to gauge the effectiveness of your program. Also, through these tests, you may be able to identify your “serial clickers” who can then take advantage of remedial training.
Creating a strong security culture takes time. Installing a strong security, and security awareness program is key, but it must be more than just compliance with some regulation. The following steps should be helpful:
- Baseline – Where do we stand today, where do we need/want to be
- Executive Buy-in – Let your employees know that the C-suite is all in and expects everyone to take ownership of the program
- Training – Design and deliver an effective training program, online and in-person training with an effective communicator
- Employee Buy-in – Get your employees to buy into the program, relate information security to their personal security, tell real life stories, incentivize security, etc.
- Reinforce the Security Message – With monthly newsletters and other leadership communications
- Test, Test, Test – How do you demonstrate to leadership the return on investment? Internal testing is a good way to measure your organizations security awareness maturity
The Consortium Networks was developed to help you navigate through the maze of products and make the best spending decision for your organization. Reach out to us at firstname.lastname@example.org for more information.