According to this year’s Verizon Data Breach Investigations Report, 85 percent of data breaches involved a human element, with 61 percent related to stolen or misused credentials. Year-over-year, human error remains the world’s heavyweight champion of cybersecurity threats to organizations.
Read on to learn more about the steps to take to foster a security-first culture.
Measure program maturity
Before weighing your cybersecurity education program against other priorities, you should first measure your program’s maturity for a better understanding of your human risk posture. Use an industry standard model, like the SANS Security Awareness Maturity Model, to benchmark your progress and help navigate your upcoming initiatives. Leverage maturity models and other security awareness metrics to build your strategic roadmap and communicate your organization’s security “story."Secure leadership support
Knowing the business motivators for your company and the goals of your security team is key for securing resources to move the needle forward. By building your program around your organization’s goals, you are giving leaders confidence in your decisions and justifications for resources, including corporate communication airspace, budget, or additional headcount. Additionally, if you are aligned to their goals, and the goals of the organization, it becomes easy to get support and participation. Security is everyone’s responsibility, including senior leaders, so make sure to take the time to paint the picture of your program’s value and impact.Prioritize with partners
Now that you have laid the foundation of your education program, it is time to find your web of partners across company lines to help deliver your program. Incorporating computer-based course modules in a new hire onboarding program may require your human resources team to build in your organization’s learning management system (LMS). Or you may need to partner with your company’s engineering leaders to prioritize time for additional secure development training. A helpful hint: Give co-workers and support teams advanced notice of upcoming initiatives to ensure they can prioritize and schedule it with their own work and roadmaps.Creative and consistent content
Almost as important as prioritizing a cybersecurity education program in your organization is delivering engaging content that resonates with your audience. Gone are the days of emailing out your organization’s library of security policies and standards and expecting your employees to act as human firewalls. Instead, leverage current events to pique their interest in the security threat landscape and show (versus tell) them how they can best protect their personal and corporate confidential information using a password manager, spot a phishing attack, and how to report suspicious activity to your company’s security team. Remember, personal security best practices translate to better work cybersecurity hygiene. Want a cybersecurity strategy that is breach-proof? Click on the button below.