Cyber security isn’t just a technical issue. People are one of the biggest risks to your organization’s information security. This might be a bold statement, but we’ve got the research to back it up. I think we all agree most people won’t believe that the Prince of Nigeria wants to transfer 4.200.000 USD to your bank account because you’re trustworthy. But phishing can be difficult to detect. Verizon Breach Report 2018 states that 78% of all people didn’t click on a single phishing mail all year. This means that 22% still does. The most common human-related threat vectors are: phishing, password theft and accidental incidents like system misconfigurations, poor patching and the use of default names and passwords.
This might not sound very promising, but I do have good news for you. People are also your first line of defense in preventing threats. They help you prevent successful exfiltration that is not even detected by the best technology.
That is exactly the reason why security awareness programs are so important. Security is the responsibility of every single person in your organization. It’s not without reason there is a saying: You’re only as strong as your weakest link.
What is the goal of a Security Awareness Program?
A security awareness program is a way to ensure that everyone at your company has an appropriate level of know-how about security. It’s a formal process for educating people about cyber security along with creating an appropriate sense of responsibility.
The goal of a security awareness program is to increase understanding why security best practices are there to help us and reduce the possibility for successful breaches to take place. This program should, of course, be fun, inspiring and keep every single employee involved.
Depending on your business, there might even be governance regulation that obligates you to conduct security awareness to your employees (like HIPAA and PCI).
Three Pillars of Awareness
There is only so much information that stick with people. With an average attention span of about 7 – 10 minutes for a presentation, you want to conduct your awareness program as efficient and interesting as possible. So plan you activities carefully:
Write down all procedure and role-based guidelines that could involve security risks in a Security Handbook and plan how and how often you want to remind people of the security protocols.
The Security Handbook should be available to all employees and contains security and risk related procedures like what to do when new employees start or leave the company, how often people are reminded of the security protocols, what to do when an incident takes place and how to communicate in the event of a breach.
Develop awareness tools for new hires and ongoing employee education.
Security needs to become a regular part of the day-to-day business activities. User awareness is the key. Training programs help people better understand the possible security risks. Develop a training program with real-life examples, send out quarterly reports with statistics and create print media that fits your risk profile.
Setup an easy-to-use platform for reporting suspicious activity and security-related questions and feedback.
Security awareness only works if people are comfortable reporting and discussing risks and threats. Setup an easy-to-use platform like a chat channel or commonly used Intranet portal and allow people to discuss related topics or report suspicious activities.
Elements of a Successful Awareness Program
Now you know the three pillars for creating a security awareness program. But as we stated before, a program should be fun, inspiring and keep every single employee involved. So here are some tips to create a successful program:
- Obtain C-level support gives more freedom, budget and support in your Security Awareness Program. Obtain strong support before starting your program!
- Team up with relevant departments like legal, marketing, HR. You would be surprised how many mutual interests there is.
- Be relevant. Forcing education programs or training video’s don’t work if they are not relevant to your business. Cyber security can be a complex domain for people, let alone understand how to prevent successful threats.
- Measure success to prove your effort is worth everyones valuable time. Establish a baseline and get results from surveys, phishing simulators and security-related incidents reported to the helpdesk.
- Don’t be a naysayer – help people understanding how to safely work with information. If you block social media, people will find another way to use them. Teach them how to use the platform safely.
- Reward awareness for reporting security incidents and include these examples in awareness training.
- Use a variety of awareness tools like newsletters, posters, blog posts and simulations.
Creating a relevant, successful and fun security awareness program might look like hefty task, but there’s actually a lot of clever, simple, and exciting ways that you can approach this. Have a look at this inspiring awareness video about passwords.