Security Awareness the right way
We’ve all had it drummed into us now; Human Error accounts for 90% of data breaches. How do we, as security professionals, reduce this figure and avoid using the failed security whip?
Most businesses start with an induction programme; this is usually a dull e-learning module on data protection, information security and health and safety (if you’re lucky). Twenty minutes per module of tedious box-ticking exercises that no one pays any attention to. Often the pass rate is 80% of a multiple-choice test, with unlimited tries.
If this worked, would 90% of data breaches still be attributable to human error? An hour of your new starter’s time has been taken up with something that doesn’t work!
The faceless information security e-learning induction
Admittedly, it’s been a while since I’ve gone through one of these e-learning mandatory induction modules, and clearly, they were so memorable that I couldn’t remember much about them. Often, employees will do this module in their first 3-months and then may get an annual reminder when the time comes.
While I do understand the budgetary decisions of buying a package that allows you to plonk your logo into for personalisation, is this faceless and interchangeable tool the best option? Until I worked in the security team, I couldn’t tell you the location of the security team, let alone who to go to if I needed to report something or ask a question. We, as security professionals, wonder why we are the last to know about business decisions.
We induct our staff using generic tools and follow up once a year. We only communicate with employees when things go wrong or when we need something.
It’s time to make a change!
Security are your friend
Security teams need to up their game considerably and start being friendly. No one is too busy to say hi at the coffee machine, or make time for their colleagues. Through these interactions, they will start to understand the world in which they operate. I can guarantee the facilities team doesn’t know what the security team are talking about when they request meeting rooms for an incident war room. They do it because the scary team in the ironic t-shirts used the long words and frowns to get them to do what they wanted. It’s just not ok!
Forget about the infrastructure and firewall for a minute and take time to understand your surroundings. These interactions will teach you so much more than your monitoring tools. You’ll learn how to talk to the average employee in a way they’ll understand and what worries employees about their environment. Talking is how you’ll find out that Jim left 6-months ago and no one changed his password to the payroll system.
Security teams are not the gods in the ivory tower; they are people who NEED intelligence from the business to protect it. Engage with them and grow your knowledge, as well as share best practice with your new friends.
The changing landscape
Imagine tying your shoes, using a pen or driving a car once a year. It would take you some time to get back into the swing of how to do these things. While somethings are like riding a bike, we all fall into bad habits. I am 100% sure I couldn’t pass a driving test now, not only because my bad habits are now part of my day to day life, but the rules change! This is no different to the security world. While threats advance, our behaviour must too. The iPhone used to require a four-digit pin, and then went to 6, and now allows for facial recognition. Is once a year of rarely updated modules really what we are relying on to keep us, our data, our customers and our businesses secure?
Awareness plan
It can be tricky to come up with an awareness schedule to keep the security conversation going and employees engaged. Like any new project, you are starting with a blank canvas, so where do you start?
Reactive security messaging, highlighting phishing awareness or social engineering post-incident, helps to refresh employees knowledge. While by their nature, reactive or responsive communications are somewhat too late, it will help to reduce similar incidents happening in the future.
Proactive communications allow you to try to get in front of the problem. What is the threat on the horizon? Alternatively, take your information security policy and break it down into themes, use these themes to shape your content. Take password standards, for example. Your campaign doesn’t have to be beautiful; it just has to be memorable. How about demoing how long it takes to crack a six-character password and taking a screen recording? A little creativity goes a long way!
Budget restraints
As I mentioned, there is often a budget consideration in place when these e-learning platforms are implemented, and that is ok, but as we’ve established from the above, e-learning isn’t doing the job.
There are many innovative options available to even the tightest of budgets. Utilise your internal resources. Most businesses have a creative department, whether it’s an internal marketing team or a freelancer for small projects, why not see if you can collaborate on an internal communications piece?
You don’t need to rely on the skills of the security team. Utilise the rest of the business. The rest of the business should allow themselves to be utilised too.
Gamification
Regular quizzes allow you to check-in knowledge retention. Points win prizes, and employee engagement. Add some healthy competition for the highest scorer or the person flagging the most phishing emails, reward this behaviour. After all, it may be the report or knowledge that saves you a hefty fine, loss in reputation or customer trust.
Engage your employees by asking them if they have the skills to support an innovative security awareness campaign. Ensure that this doesn’t just benefit the security department and will be factored into ‘going above and beyond’ in performance reviews.
Originally published at https://www.linkedin.com.
