Kai Roer, Security Culture Specialist, Author and Speaker
Our research is quite clear when it comes to what works in raising security awareness: openness and dialogue. For organizations, this means they must actively share incidents with their employees, engaging with them on what happened, why it happened, what is being done to manage it, the impact the incident has on the organization and what is being done to avoid similar incidents in the future.
I have seen this done very well in organizations where they set up workshops for employees after major incidents, as well as when they do simulated incident training exercises. Engagement and involvement is proven to be very effective in transforming culture in organizations.
Our research also suggests that there are methods that consistently fail/underperform. For example, forcing employees to do things like mandatory training is not working well in many cases, instead it seems to be demotivating and thus creating negativity towards security.
We see similar things with phishing assessments and training. In the case of one client of mine, we had to completely rethink how to build a resilient workforce after they had paid for a few rounds of phishing assessment products. The phishing assessments were set up in a way that made a large number of employees feel like they weren’t trusted.
They felt punished by the security team because when they failed an assessment, they were being forced to do some training or sit in on a video lesson, or even have a one-on-one with someone from the security team. When your security training and awareness activities create such strong negative emotions from your colleagues, I strongly suggest you change your approach. Let’s be honest, everyone is susceptible to falling victim to phishing – no training can ever change that fact.
The one-size-fits-all approach of security awareness programs needs a change. We suggest a more tailored approach, based on the principles of the free and open Security Culture Framework: understand your audience. People are different, they have different roles and tasks; they may use different tools and have different priorities. Some of these people may require more from a security perspective, and most of them will benefit from a targeted approach.
I also strongly suggest a risk-based approach: know who in your organization has access to valuable information and use that knowledge to tailor your security controls, including awareness.
Creating a program that works doesn’t have to be expensive. In my book Build a Security Culture, I describe approaches that can be replicated. A few key tips include being creative and engaging employees. Invest time in low-cost, high-impact activities like lunch-and-learns, workshops and meet-ups for those that are interested. Use online sources which provide low-cost and free tools, training content and more. Most importantly, start with a risk analysis, map out your needs based on the results and identify the low hanging fruits for your organization.
Dr Jessica Barker
For effective cybersecurity awareness-raising, use a variety of methods and channels to get your messages across, such as short videos, hands-on workshops and face-to-face sessions. Everyone learns in a different way and the best training campaigns take this into consideration.
Rather than simply telling people what to do, show them why it’s important and how they can have better security. For this reason, we do a lot of cyber-attack demonstrations for our clients. When you show people how an attack is actually carried out and what happens on both the attacker and victim end, then people ‘get it’ on a more fundamental level. However, it’s vital not just to scare people in an attempt to change their behaviors: you need to empower them with the tools and confidence to pursue better cybersecurity. A positive tone is much more engaging than a negative one.
I sometimes see companies making the mistake of rolling out computer-based training and expecting that it alone will have a fundamental, positive impact on cybersecurity culture. Of course not all computer-based training packages are equal, some are much better than others, but many lack depth and are seen as something to simply ‘click through’ by people taking them. On their own, I question the value of computer-based training packages, but I do think that well-designed ones have a place as part of a wider campaign (for example, for refresher training).
Getting the right ‘hook’ for your audience will help your awareness-raising efforts have a bigger impact. Use examples that are relevant to the vertical industry, know how the business works, what tools are in place and what the culture is like. When I’m planning a training campaign for a client, I like to host focus groups to find out where there are awareness blind spots throughout the business and what security workarounds are common. I then build the training to respond to those themes.
Rather than using awareness-raising training to simply tell people what to do, use it to respond to their issues and show them how they can still get their work done whilst maintaining good security practices. Sessions focused on cybersecurity at home are really successful, because most people welcome better security in their personal lives and like being able to pass this on to their children, parents, siblings or friends.
Finally, I recommend collaborating with your internal communications team as they can help you tailor the messages and complement other corporate communications.
Security awareness does not need to be costly, there are lots of things you can do on a budget. A really effective way of scaling up security awareness is to establish a network of cybersecurity champions, who act in a similar capacity to first aiders in a team, disseminating cybersecurity information and being a friendly face for people to turn to with an issue or incident. The champions do need support and training but, with the right structures in place, this approach is not only cost-efficient but also really effective.
Candice Carter, Chair, MS-Cybersecurity and Assistant Professor, Wilmington University
Before building a security awareness program, it is important to document a baseline of security knowledge for the organization. This will allow you to identify gaps and measure the rate of success.
Most programs start as the result of an audit and compliance issue, therefore setting the tone of security awareness in the organization as ‘checking a box’. Moving from this and instead igniting a behavioral change entails security to become a core value of an organization.
Treating security awareness as a brand can be an effective method of delivering the message. Providing simple but impactful examples of security incidences that occur will keep the members of your organization engaged. Communicating at a relatable level that is consistent with other company messaging helps the organization embrace security into the culture. Security culture changes over time with training, workshops, newsletters, speakers and blogs; keeping the user community informed and aware.
To be effective in growing this long-term commitment to security requires the support of leadership at all levels. Use your leadership team to identify champions within each department of the organization.
The security champions are liaisons between security and the department to keep the lines of communication open. It is important to give the organization a means of reporting security concerns without repercussions, for example, by using a mailbox. There is no single size of security training that fits all.
The security champion concept brings the ability to curtail security awareness training specific to particular areas. Awareness works if the user benefits personally, and integrating awareness with modern culture – using mobile devices or social media – is another method to get users engaged.
Methods of security awareness that only occur annually through computer-based training with no other security interaction are not successful. Also, out-of-the-box phishing emails that do not seem real to the users will not grab their attention enough for them to think they are genuine.
Reporting can impact the effectiveness and budget of the security program. Reporting should clearly reflect a baseline and progression of results. The budget should correlate with what needs to be accomplished to close the gaps in awareness and training. However, the amount of face time that information security gets with the user is critical to the equation.
Security awareness is ongoing and interactive; it requires collaboration at all levels to continually get the message out there.
Security awareness is critical in the success of an organization and should be part of the company’s culture. The user community should be able to identify electronic, social and physical attacks.
When a company is effective with training, everyone can be on the offensive side of security. In and out of the office there is exposure, if employees understand their role in the bigger picture of an attack, they can relate and respond