A growing number of organisations understand that humans are a key element to security, but are discouraged by failed security awareness programmes, says Jessica Barker, co-founder of consultancy Redacted Firm.
“Security awareness training typically involves telling people what they should do, but the key to success is using demonstration-based training so that people really understand why cyber security matters to them and their organisation,” she told attendees of Infosecurity Europe 2018 in London.
“Organisations need to demystify cyber security, and one way of doing that is to hold cyber security family days for employees to enable them to learn how to protect themselves at home, which opens up the conversation,” said Barker.
“By giving them the opportunity to ask questions about their own security and giving them the tools they need, you are far more likely to change their thinking on cyber security so that they apply the same approach at work as they do at home.”
Setting up a security awareness training programme can be quite daunting, she said, especially because many of these programmes fail to achieve their objective of changing people’s behaviour. But it can be done, and the first step is understanding the organisation.
“Understand the organisation in terms of its sector, size, geography, data assets, cyber threats and what the most damaging cyber incident would look like, then understand the organisation in terms of how people actually do their jobs and the cyber security challenges they face,” said Barker.
An effective way to find out how things work in real life, she said, is to talk to people working in the organisation, setting up focus groups in each department and finding out what data people are processing, what practices they are following and where they are struggling on a day-to-day basis.
“Typically, we find that on paper, people have a good level of awareness, but in reality their understanding of cyber security and the processes designed to support it is poor, that there is a low level of cyber security incident reporting because of fear of reprisals, and that security practices are poor, with password sharing fairly common,” said Barker.
In one particular organisation, she said, employees said they thought the issue of cyber security was “over-hyped” despite the fact that there had been instances of CEO fraud, where employees had been tricked into helping attackers through emails purporting to be from the CEO or other senior executive.
“Once you are familiar with the organisation and how it works, then identify the objective of the security awareness training,” said Barker. “Decide what behaviours you want, such as a culture in which people engage with cyber security, report issues and concerns, and follow best practices regarding social media and password use.
“Then work backwards to identify the gaps and specific areas to focus on in demonstration-based training that is relevant to people’s roles in the organisation.”
Once all the initial training is complete, organisations should then ensure that the process continues and is continually reinforced, she said, and one way to do that is to use cyber security champions. However, it is important that people volunteer for the role, said Barker.
“If it is done on a volunteer basis, this ensures that all those in the champion role want to engage, and by understanding why they have volunteered, organisations can ensure that their champions achieve the intrinsic rewards they expect, such as making progress in their cyber security career or being able to keep their families more secure by providing training around those goals,” she said.
Another key aspect of maintaining a high level of security awareness and ensuring that people are adhering to desired behaviours is to continually assess what staff are doing by talking to people in the organisation, observing their behaviour, and getting feedback from the cyber security champions.
“Use these kinds of assessment tools to measure progress over time and find out what is working and what is not, rather than relying on things like sending out phishing emails or conducting surveys,” said Barker.
“Above all, when designing a security awareness programme, ensure that it is focused on people, the way they work, the way they learn and what is important to them. Ensure that it is nuanced enough to be effective in persuading them to change their behaviour and follow best practice.”