We bet most people working on Information security know the key dimensions for securing an information system. These three pillars (see the image below) remind businesses security goes beyond technology. When having a look at existing information security programmes, one pillar tends to be neglected despite its importance when fighting cyber threats. While most organisations have put in place security technology to certain extent and they implement and document security processes as regulators and law enforcement bodies require, the human factor is the most unattended. What is preventing organisations from investing in security awareness and increase the information security culture of their employees? While reasons can vary, the history of IT has carried one misconception over time that influences this situation. Discover it in this article.
A radiography of information security programmes
According to the 2017’s Security Awareness Survey of the SANS, the time you spend in security awareness is essential to increase the security culture of your organisation employees and change their behaviour.
It’s not uncommon to see organisations ticking the box “done” after carrying out a single standard 2-hour plenary session on information security once a year. Indeed, if raising awareness calls for a series of chained actions in the organisation, education – a more ambitious goal – needs a sustained, measurable plan over medium or long term. As such, scattered actions won’t do the magic, especially if they resemble old-fashioned unidirectional training sessions. In smartphones times, when attention span is reducing, engaging and interactive sessions have become a need.
Over 50% of respondents to the SANS survey said that less than 15% of their time is allocated to participate in security awareness initiatives. In the best-case scenario, that corresponds to about 30 days per year. If we remove the “new joiner sessions” where organisations expect new employees to understand most security rules, real time truly invested in defining and running comprehensive education programmes is scarce.
The board’s buy-in, as in most digital transformation processes, is pivotal to secure the resources for awareness campaigns. Time and budget are two factors information security teams want to keep in mind. Although we cannot generalise, getting support from the board or top management isn’t always a smooth, straight-forward process. This leads to the second gap preventing many organisations from implementing better information security education programmes.
IT security experts are not the best at communicating
A security expert can solve security breaches, go over network failures, master sophisticated tools and even hack a company. Commonly though, most of them lack of basic communications skills. Often, when security experts try to convince organisations’ decision makers to invest money in security, they use technical reports stuffed with complex terminology. The result is a confused board member or leader, the lack of support or the need to go through longer approval processes.
Technology over Human
The main factor to tackle cyber threats targeting employees isn’t the lack of an internal policy for information security or software not powerful enough to cope with them.
To us, IT history holds a misconception: believing that technology is sufficient to deal with organisations’ security level. Following this notion, the more updated and sophisticated the technology is, the more organisations should be able to prevent cybercrime. The reality, dozens of attacks where employees unintentionally or intentionally activated the threat, tell a different story.
While security officers or IT security experts can simply add new “protection layers” to the existing technology, setting aside the human dimension unbalances the pyramid. Without a proper security education plan, users will likely try to bypass any implemented control put in place. We see many information security officers dedicating budgets on acquiring new technologies that are unlikely to cover all threats humans could produce if they aren’t properly educated.
Involving your teams to fight cyber threats
The list below gathers good practices we’ve learnt along with our clients.
1) Implement an education program; if you already have one, refine it
Defining and formalising an education program helps you professionalise the actions. You want to have a road map that leads to a more consistent, long-term plan. As such, consider running security education activities over, at least one year, including teams from different departments and hierarchies. You need to make sure information security embeds in users’ minds and it isn’t just a matter of mandatory sessions. Why not to aim at making information security a verb that sticks with people?
Do you want to tackle a specific threat your teams have suffered from or do you want your employees to have a glimpse of all threats they are exposed to? As a first action, carry out a proper risks assessment and define your organisation’s security culture maturity. Then, you are in a better position to define the complexity level of the education programme and the goals to achieve. A third step is to define the key messages you want your teams to bear in mind. They help you design specific actions.
Moreover, don’t hesitate to get creative when it comes to training formats, communication tools or third-party speakers joining the programme. E-learning is a flexible, easy-to-access solution you can take advantage of without neglecting the human contact. You aim at, among other goals, involvement.
2) Find the right balance for your programme
From our experience, the balance among time, frequency, technology and complexity helps your teams get the right feeling about security. Ultimately, you want your teams’ behaviour to change by adopting “security automatisms” that stick with their minds.
For a more impactful result, make sure you tailor the messages to your company’s culture, standards and to the users’ familiarity on the subject, in terms of depth and complexity. The idea is to not confuse your employees with security requirements that don’t apply neither to the company’s reality nor to their daily work lives. In addition, the IT team also needs specific training as cyber attackers target them due to their high clearance and management access.
Finally, use attackers’ techniques to test your employee’s reactions and adapt your messages and key focus areas, depending on the results. The benefits are twofold: you could create a game that encourages healthy competition between departments, and you could use the results to show the board the results of your action.
3) Speak the C-level jargon
C-levels are usually very familiar with business risks, financial performance, reputational, legal and organisational matters, indicators and goals. For your security programme to work, don’t think twice about includîng them. Learn to address them by using the language they understand best.
Invest in developing C-suite’s soft skills to ensure they understand the scope of security needs. Also, invite them to participate in technical trainings tailored to their needs. Aren’t they convinced yet? Bring an external party, with an independent view, to benchmark your organisation against peers and international practices.
4) Aim at security accountability
If the majority of your employees understand that security is not just the job of the IT or the Information Security department, you’ve won the first half of the match. You need to provide your teams with the tools to understand and identify the threats they are facing and report them properly.
Depending on your organisation’s maturity level, security could also be integrated into career development. Some variables to measure performance may be success rates of clean desk, eLearning completion, etc.
Also, it’s a good idea to name a “Security Champion” in each team: employees will have a direct spokesperson than can help them understand their roles, pass on their perspectives and suggestions, and make them feel part of a more ambitious project.
Your people are your most valuable asset
Did a colleague ever tell you about a new memory stick she found on the floor and plugged in her computer? Did any member of your team click on an email whose sender was unknown but the subject was provoking? Does your team turn off the computer every day? Simple yet necessary practices may seem obvious for you in such cases. However, you can hardly expect someone who doesn’t know much about information security to react properly before any threat. The cyber threat battle isn’t one technology can win alone. Instead of considering your employees a security burden, take the appropriate time to see them as an asset to detect possible security breach and fight cyber attacks.
Your teams are key to the security controls you are implementing.
Communication communication communication
- Communicate with your top management to make sure they understand why it is important to invest in security awareness. Your main goal is to unlock time and resources for your campaign or plan. You can argue that leaving employees behind is risky for any information security strategy to work. According to IBM’s 2017 Ponemon study, 72% of data breaches are related to staff receiving fraudulent emails.
- Communicate with your team to involve them actively in the security education programme. They need to be aware of the utmost importance of the human factor in fighting cyber-crime and the risks of not taking part in this battle.
- Communicate with your employees to explain – in a ludic, friendly and comprehensive way – the reason the organisation implements security controls and their responsibility to identify, properly react and report a cyber-security crime attempt.
To finish off, we give you this concise advice:
- When implementing a security education programme, start by performing a maturity assessment to determine where your organisation stands. Then, convince your top management that investments are mandatory to cover any existing gap;
- Define your education program and run it with an agile approach. Don’t forget to create a mechanism to collect feedbacks from employees; and
- Define metrics to show improvement; and invest in training your people. It pays off.
What we think
Media have covered recent security breaches influencing information security in a positive way. Now, it’s a topic of discussion at top management level and understanding the real impact of those incidents is a priority in the agenda. In fact, developing an organisation’s security culture at all hierarchical levels not only mitigates risks but also develops a sense of accountability, which gives every individual a better understanding of the role they play. The world is moving quickly, and digitalisation creates both new opportunities and threats. Now it’s time to involve your management board and all your employees in the fight against cyber threats.
Are you ready to face these challenges? Take a look at our Security Awareness Solutions!