Security awareness sums up the knowledge and behaviors that people within an organization have in regards to the protection of physical and information assets. It also sums up one of the hardest parts of the security management mix.
A maintained, ongoing security awareness program is a requirement within security control sets like the CIS 20 (it’s #17). However, there’s a key difference between awareness and the other 19 controls: awareness isn’t technical. Given that security pros are almost entirely technical, it’s not the easiest program to manage, yet alone help make flourish.
Security Awareness Doesn’t have a User Manual
The level of security awareness your organization has can vary greatly based on industry, size of company, and various points of experience. For those of you who work in highly regulated industry like healthcare or finance, or for a large public company, you probably have to take an e-learning course on cyber security once a year to tick off the compliance box.
The yearly training is a good start but it’s not enough to stop employees from making security mistakes – like clicking phishing links.
So how exactly do you get your fellow employees smarter on security to the degree where they become more informed and don’t make the mistakes that cyber criminals expect them to make? I don’t have a magic elixir for you, but here are six steps to getting started:
#1 Get support
Making sure your executives understand the value of security awareness is a critical aspect of your security program. They need to lead by example. It’s not the most expensive program but it is hard to get right. If you are going to dedicate time, resources, along with expectations for things like fewer successful phishing attacks, make sure your execs are in.
Next, build an advisory group of folks from different teams, disciplines and points of view. Run your content ideas for training and education past them first.
#2 Know your audience
How can you make security awareness successful across your company? For starters, get to know your end users. At most companies, your audience is not singular. You’ve got left brains and right brains. You’ve got baby boomers and millennials. You’ve got people who know enough to be dangerous, and others who know so little they are the most dangerous. In other words, your demographic is varied so make sure your educational content like videos and blogs is too. And don’t always make it so ominous and serious. Security isn’t silly but it doesn’t have to be the one not in on the joke.
#3 Make it an everyday opportunity
Apart from making your compliance team and the auditors happy, that one point in time every year when folks take the cyber security awareness course online is by no means your one shot at getting through to your colleagues.
Consider dozens of small touchpoints that different people will see or catch at different times, in different places, in different ways – all with the same point and message. Come up with new themes every month or quarter. Leverage broader events like National Cyber Security Awareness month every October. Even create a meme and tape it to your office refrigerator. There’s a lot of content out there that others would be glad for you to use with proper attribution.
#4 Keep it fun
While security is serious business, there are ways to get employees engaged and keep security awareness fun. For LastPass we recommend making adoption and usage a contest. Have employees compete to see which individual or team can get the most sites added to their vault in a week, or who has the highest security challenge score.
#5 Remember it is about human behavior
Security awareness, as a way to keep your company and its data more secure, involves something rather unique to the rest of the mix. It isn’t technical. It’s emotional. It’s not about a router configuration. It’s about what people think and feel when they see your latest memo about don’t do this or do a lot more of that. It’s about how they process information, whether it be in 5-10 second intervals or sitting down for a long read.
One way to make the best connection is to bring in the outside world to help. Make security awareness not just about security at work, make it about security everywhere. You’ve got employees who are parents and trying to get better at dealing with cyber bullying. Make your program about protecting everything and everyone they care about. It’s already going to be about the stuff you care about – your IT assets, your IP, your yearly audits. What’s in it for them? If you expect your colleagues to give you a few minutes, return the favor and share how they can be safer online no matter the context. For example, a password manager like LastPass can do a terrific job bridging security awareness between work and home by managing and storing credentials tied to any online account from your expense report portal to Macy’s.
#6 Every mistake is a learning opportunity
Be patient with your end users. If they make a mistake, and they will, make it a positive learning experience and do not threaten with a wall of shame. Use a phishing simulator and test your colleagues to see if they click on links within emails that they shouldn’t. If they fail, give them the chance to learn on the spot and move on.
However, if they fail five times in a row, maybe a little direct encouragement might be in order.