How do we improve the security culture in our organizations? Our security team keeps coming back to that fundamental question, and we are constantly looking for ways to help.
Why? Culture change is a critical success factor in our security programs and almost ever technology or innovation project. We keep asking: Is there a better way?
But even as new mobile solutions and cloud computing transform the way we live and work, industry experts point to many challenges in pursuing security culture change.
One of the fundamental ways to start is by building (and constantly improving) a robust security awareness program for all staff and security training for specific employees based on business need.
This topic surfaces almost everywhere I go. End users clicking on links, giving away passwords or plugging-in malware-infected USB drives were topics that arose this week at the Cyber Summit at Oakland University.
In response, strengthening the security culture is listed as a top priority in many global security reports, including this UK case study which was release late last year. Here’s an excerpt:
The security of systems is dependent on the people that use them. Effective institutional assessment of risks and implementation of secure practices rely on a shared understanding of the threats and challenges facing the institutions….
Universities should consider how they embed knowledge of cyber security practice and responsibilities across their institution. This ranges from requiring annual active confirmation of acceptance of terms and conditions of using the network or certain parts of it, through to training and education programs. The 2011 UCISA Award for Excellence went to the University of Leicester, which led a consortium of universities that developed an Online Information Security Training for higher education institutions. Janet also provides a number of security-related courses for IT staff…
Another recent study referenced by the Ecommerce Times found:
An overwhelming 80 percent of corporate security professionals and IT administrators indicated in a recent survey that "end user carelessness" constituted the biggest security threat to their organizations, surpassing the ever-present peril posed by malware or organized hacker attacks.
Users' cavalier attitude toward security was further exacerbated by corporate executives who failed to support their security administrators by enforcing computer security policies….
One more - Trustwave lays out seven deadly sins of uneducated employees in this serious of graphics that do an excellent job at pointing to how a lack of awareness training can cause more data breaches.
Why Security Awareness Programs? What are the Benefits?
Of course, this topic is not new. It would be surprising if readers had not heard most of these same cyber awareness themes before.
For example, the State of Oregon commissioned a study back in 2006 to “determine the best way to deliver security awareness training to state employees, and to develop a plan for its implementation.” Their study was based on extensive research, rigorous criteria, a “particular emphasis on IT and business standards, laws and regulations, and official guidance” and much more.
Oregon identified 18 best practices in that study – with an overview available at this Oregon.gov website.
Over the past eight years, the many benefits and potential drawbacks of security awareness programs have been debated numerous times.
At the start of last year, Ira Winkler wrote this article listing 7 elements of successful security programs.
Joan Goodchild, executive editor at CSO Magazine, offers this slideshow with 9 tips, tricks and must-haves for security awareness programs.
Ten Recommendations to Consider
After reading through these numerous reports, tips, best practices, articles and white papers that examined what works and what doesn’t, here are my ten top recommendations to consider when trying to build or improve your security awareness program. My goal is to keep this simple, but update the list for 2014. I plan to come back to this list at least annually for the latest updates.
I’ve divided this section into two lists – the Do’s and the Don’ts...
1) Don’t stay with your status quo. A cyber awareness program with content that hasn’t been updated in years is a waste of employee’s time. Our team heard that message loud and clear.
In Michigan, we got rid of our old end user awareness program in 2012 and started over from scratch. Why? Our old awareness program was deemed to be boring, irrelevant, too long, outdated and even “Death by Powerpoint.” After a competitive RFP process, we moved to a new set of solutions using Security Mentor for cyber awareness and the Michigan Cyber Range for technical training. More specific details on our award-winning approach can be found in our National Association of State CIOs (NASCIO) project profile.
2) Don’t rely on videos or Powerpoint slides as the primary channel for awareness programs. Several studies, including this white paper from 2013 from Secure Mentem, found that interactive material that engage end users are more effective in achieving results than just using a series of awareness videos. The truth is that many employees don’t pay attention to videos. Some even start the videos, leave their desks to use the restroom, talk to neighbors or get coffee, and come back to see if the video is over.
However, fun, user-created videos, such as those developed as a part of this EDUCAUSE 2013 Video Contest, can help as supplemental content to create energy and excitement at the office.
3) Don’t confuse cyber awareness programs with security training. Ira Winkler makes this point very well in this Dark Reading article: “Security training provides users with a finite set of knowledge and usually tests for short-term comprehension…. Security Awareness programs strive to change behaviors of individuals, which in turn strengthens the security culture. Awareness is a continual process. It is not a program to tell people to be afraid to check their e-mail. The discipline requires a distinct set of knowledge, skills, and abilities.”
4) Don’t forget anyone, and don’t make security awareness an optional extra. As Oregon pointed out in their study in 2006, everyone has a role in improving security. The entire enterprise needs security awareness, since the weakest security link is usually an employee clicking on bad links.
5) Don’t focus solely on compliance or make awareness just a “check the box" exercise. No doubt, you need security awareness programs for PCI-compliance, HIPAA-compliance, complying with federal regulations or other compliance reasons. But cybersecurity awareness needs to be a process with constant improvements and adaptation, as your technology and business changes. The main goal is to improve the security culture in pragmatic ways. Culture change takes years and hard work, so this won’t be a simple endeavor.
1) Ensure executive support and management buy-in. End user awareness must have the full and vocal support of top executives and the middle managers in order to be successful. When top executives lead by example and participate themselves, key messages are understood to be important by the masses. Leading by example is key. Occasional prodding of key execs and managers will be necessary to keep things on track.
2) Make it fun – use gamification and interactive content, if possible. Brief, intriguing, "sticky" content is key. The more relevant and timely, the better. Yes, remind staff of important security policies. But also inform your people about risks, such as spear-phishing techniques, or something new to help them online in their personal and professional lives. Add competition or other learning techniques that are proven to be effective.
3) Include posters, newsletters, email tips, blogs and reminders, National Cybersecurity Awareness Month and more. Different people learn differently. There are numerous sources to help provide new and refreshing security information, such as the free resources from Multi-State Information Sharing & Analysis Center (MS-ISAC) and SANS Newsletters for technical staff.
4) Focus on changing behaviors. Relate cyber awareness to personal life, family and home. Our goal is to change culture and improve security. This can only happen if people make good decisions and act in ways that reduce risk each and every day. Also, many studies have shown that employees pay more attention if the awareness materials can be used (and even shared) outside the office - at home with family and friends.
5) Solicit end user ideas, encourage feedback, measure success and growth of program. Make sure that your awareness program is measured. How many users actually complete the training? What did they like? Did they learn anything? Have behaviors changed? Also, ask for new ideas and suggestions to improve. Encourage creativity. Provide mechanisms to get real-time data from staff.
Stressing the Cyber Awareness Imperative
It is true that several high-profile security leaders have come out against security awareness programs in the past few years. They want to focus 100% of security efforts on improving technology deployments, tools and technical processes to be secure.
Not only do I disagree with those views, following that approach is frankly irresponsible. Security awareness is required by auditors and compliance organizations, but more importantly, it is a core responsibility of CISOs or other top security leaders. If there is no specific cybersecurity leader in your organization, a top technology leader (or perhaps HR) must be responsible and accountable for the security awareness program.
Like a doctor explaining the behaviors needed to stay healthy to his/her patients or a nurse describing physical therapy steps that are necessary to recover after an operation, security pros need to educate employees regarding how to protect themeselves in cyberspace. End users can make well-informed decisions to reduce risks to data and networks. Healthy lifestyles do make a positive difference - both offline and online.
The surge in spear-phishing as the top method used by hackers to gain unauthorized access to sensitive data shows that importance of end user awareness programs. Every employee within our enterprises must be aware that they are both a big asset and at the same time one of the greatest security vulnerabilities.
In conclusion, major cybersecurity companies like Symantec stress the importance of security awareness programs. They urge clients to make personal responsibility a major component of security programs.
In addition, new security approaches are emerging from several cyber startup companies that use the latest learning techniques to help organizations change their security culture.
Bottom line, as organizations retool their technology infrastructure, security architectures, use of smartphones, policies regarding social media and innovative approaches with big data in business areas, it is also time to take a fresh look at security awareness programs.
Improving your security culture depends on it.