Creating a security awareness programme that works
1 June 2016 | 0
Employees are often considered the weakest link in organisations’ efforts to create a strong security posture. Even organisations with security awareness programmes in place struggle to instil strong security behaviours.
Steve Conrad, managing director of MediaPro, a learning services company that specialises in information security, data privacy and compliance, says organisations can and should do better.
“Are we treating employees with the same seriousness as we are other threats to the organisation? If you updated your firewall software and virus definitions once a year, people would say that you’re negligent,” Conrad says.
“It’s time to really step up the human element,” he adds. “Traditionally, CIOs and CISOs have looked at technology and processes. Now it’s time to look at people. They’re a very high threat to the organisation, but we don’t necessarily treat them like any other threat vector. Employees generally want to do the right thing.”
Effective awareness training starts with a risk assessment, Conrad says. You need to understand what your most valuable assets are so you can better craft a plan to protect them.
“What are your risks? Align your training around those,” Conrad says. “You shouldn’t give the same training to everyone in your organisation. Your executives need certain training that others in the organisation may not.”
Call centre employees may need extra training around social engineering risks, while human resources employees may need particular training about handling personally identifiable information (PII).
Conrad notes that the National Institute of Standards and Technology (NIST) Cybersecurity Framework is an excellent foundational document with which to start the process.
Once you know what you need to protect and who needs special training to protect it, you need to craft a programme of continuous education around it.
“You can’t offer lacklustre training for 30 minutes one a year and say it doesn’t work,” Conrad says. “Why would you expect it to work? You need foundational training, but the overall training programme needs to be one of reinforcement. You need to look at it as an overall programme, not an event.”
User behaviour analytics can play a key role in a continuous programme that adapts to the risks that your employees face. These analytics can provide pop-up alerts when employees engage in certain activities.
“We see you’re doing this, be aware that these are the best practices and what you need to watch out for,” Conrad says.
“We call it ‘just-in-time training’ or ‘performance-at-work training,'” he adds. “You’re disclosing proprietary information to a partner, can I give you education and a checklist of what you should and shouldn’t be sharing?”
It is also essential to treat your security awareness programme as a communication exercise — essentially a change management problem. IT and the security function may not have the skills to make that happen, so Conrad suggests partnering with the training organisation or the marketing organisation to most effectively get the awareness training across.
“Anytime you can communicate a message to a person and make it personal, you’re going to be much better off,” Conrad says.
For instance, foundational training could show employees tools and best practices they can use at home to protect their children and other family members. They can then apply those tools and practices on the job.
“That’s a very reasonable way to approach it,” Conrad says. “Tie in that emotional hook. Make it real and personal.”
IDG News Service