Do you have a false sense of security?
Over the last few years, organisations have been investing more of their time and money into security awareness training. The message has been getting through that whilst your workers are a company’s greatest asset, they are also potentially the weakest link when it comes to security breaches. Countless surveys from credible sources keep throwing up the same results. For example, while 78% of people in a recent survey claimed to be aware of the risks of unknown links, 45% of them clicked a link in a test email anyway (https://blog.barkly.com/cyber-security-statistics-2017).
And in this year’s ClubCISO Maturity Survey, security awareness was ranked as the second most important topic for our CISOs, after GDPR. So what can you do about it?
Internal training on cyber security awareness is now big business and a key concern for everyone: but how do you know that your training is working? It’s not enough to show that you are compliant. Ticking a box will solve nothing and satisfy nobody. You must be innovative in your approach and scientific in the way you measure your effectiveness.
Awareness training must involve everyone in your organization, from the most recent junior recruit to the board of directors. Training must be tailored and relevant to the functions of the employee concerned. There should be no short cuts or exceptions. If the regular staff have to take a test to demonstrate their level of competence, then so must the directors.
Some large corporates have sent their senior people an executive summary to read instead and paid the price. Your directors have access to far more sensitive data than anyone else. They are a bigger target. Don’t make them a bigger risk as well.
Instead of conducting a pedestrian email campaign that clogs up people’s inboxes and ends up lost, get the language and the method of communication right. Work together with people from HR, Marketing and public relations. Use their expertise to help you get your message across. Security awareness is not a problem that belongs in a silo called the IT department.
If you want people to sit up and listen, you must peak their interest. Some organisations are using fun computer games as part of their training programme, designed to teach skills and impart useful facts and tips. People get to play games, have fun and learn at the same time.
Others impart training information in the form of a quiz. If you make it competitive and introduce a prize element you will get greater participation. For example, we spoke to group of legal CIOs last year and one described an initiative they had run:
One firm are trying to map out a training regime which rewards good behavior rather than doling out punishment: scores on an online test will dictate how much access to the internet you receive. So if you score highly, you can access to everything from social networks down but those with a low score will have almost everything blocked.
As an added advantage, such methods can be easily measured and progress charted over time, to gauge the effectiveness of the campaign.
Another way to get people’s attention and involvement is to make your security awareness training relevant to their home lives. Helping them to protect their family members, particularly children from the same dangers at home. This is not just a work issue. You can’t expect people to turn on their awareness brain at 9am when they arrive in the office and switch it off again when they leave at night. Awareness is not about a change in the rules of your business, it’s about a change in the mindset of all your employees.
To encourage a team approach to security and offer a chance for people to ask questions, you could run “brown bag” meetings at lunchtime or put together road shows if you have several locations to cover. By engaging your staff in groups and helping them understand just how damaging a security breach could be to the company, you will enable them to help each other and report any emails or phone calls that they find suspicious.
The most important thing is encouraging a culture of openness where people feel able to ask for advice or telegraph a problem if they think they’ve done something wrong is essential. Cyber crime thrives on secrecy.
– Marc Lueck, ClubCISO Chairman