Employee awareness needs to be holistic, and not use a blanket approach.
Speaking on a panel at the TEISS conference in London exploring tailoring security awareness programs to overcome colleagues' inbuilt biases, business strategist Dr Dave Chatterjee said that benchmarks can be used, and help you to know that if you are talking awareness, whether you are addressing your goals. “At a deeper level, it can convince you to be more careful on phishing and to be motivated and driven to be secure,” he added.
Dr Jessica Barker, chair of ClubCISO, said she had found “phishing awareness and detection to be very good and strong” but the issues of emailing personally identifiable information and storage of data were not addressed, and often these issues need to be covered and benchmarks can help you know in six to 12 months if you have targeted these areas.
Also speaking on the panel was Marilise de Villiers, founder and CEO of MDVB Consulting, who said that awareness solutions need to be designed to allow you to measure awareness, and let “you know what you want to know” as well as “what will trip us up later down the road.”
The panellists were all agreed that a check box methodology is not enough, and Chatterjee said that you “need to put enough thought into what you’re measuring.”
Panel moderator Jeremy Swinfen Green, head of consulting at TEISS, asked what some of the problems around awareness campaigns can be. “A fear of speaking up” was cited by de Villiers, while Barker said that a fear of speaking up “engenders a culture of fear.” Chatterjee added that companies often try to create a workplace of happy employees, but that is often “easier said than done.
“Companies have to survive and treat their employees well,” he said, while de Villiers argued that awareness campaigns need to be done on a “case-by-case basis.”