Your organization’s security stance must be supported by everyone in the company, every day, in all that they do. However, people are focused on their jobs, not necessarily on security. With attacks increasingly starting at the human level through social media or targeted emails, your organization needs to create and maintain a high level of security awareness among the workforce so that everyone is an active participant in helping to secure company assets. Here are some ways to bring a security awareness mindset to all employees.
Partner with HR to deliver training
While “security awareness” is of interest to CISOs and CSOs, the training aspect of raising awareness really should be a function of HR or whoever does corporate training for your organization. A best practice would be to integrate the content of what you want employees to know into regular employee training—especially for new hires. This way, security awareness and training is a routine part of staff development for everyone.
A CISO from a healthcare organization explains that he is given two full hours on the agenda of his company’s two-day new hire orientation training. Because the requirements of HIPAA compliance are so important in a patient care environment, his team spends one hour discussing the privacy requirements for electronic protected health information (ePHI), and a second hour discussing how to safeguard that information. Security and privacy training are not standalone topics; they are tightly integrated into what every new employee must learn and embrace.
By having HR handle training aspects, you can distinguish your security program as the messenger when exceptional communications are required. For example, when your company is suddenly being hit by a phishing attack and you need to raise an alarm about it, your security program can send out a message to everyone saying, “don’t click on that link.” Because the message is exceptional, it doesn’t get lost in all other communications and people take notice.
Training programs can include formal classroom instruction, customized online courses, and even online awareness programs that test and teach people through simulated attacks (ala Wombat, PhishMe, etc.). People learn in different ways, so it’s helpful to provide and reinforce awareness training in several different modes.
And when it comes to security awareness training, your fellow C-suite executives should not be excluded. They have access to very sensitive information and are prime targets for spear phishing attacks, so they need to know what the threats are and what to do about them. Of course, their training might be private and condensed, but they need it just the same.
It all starts with data classification
When it comes to security awareness, it all starts with data classification—recognizing where data is in the company, and knowing what data needs to be protected. Here’s a great example of why this is so important:
In March 2016, the Internal Revenue Service issued an alert to payroll and HR professionals about a phishing scam that was hooking a lot of people (and still is). The scheme involves sending an authentic-looking email that appears to come from the recipient’s CEO, but is, in fact, spoofed. The message instructs the recipient to send “the CEO” confidential information on all company employees, including name, birthdate and social security number. Dozens of companies have fallen victim to this attack. Why? Because the email recipients who complied with the bogus request failed to view the requested information as something that was valuable, confidential and in need of extra special protection—even if it is the CEO who seems to be requesting it. The recipients simply viewed the data as something they had access to in their job, and sent it without consideration for the need to safeguard confidential information.
Security awareness is more than just how to behave; it’s how to think about the data you are responsible for. People need to learn data classification in order to understand proper care and treatment of the data, and awareness training needs to set the stage for this.
If you see something, say something
We can all take a lesson from the law enforcement community to promote a “see something, say something” mentality. Teach people to report all suspicious activity. For instance, you can set up a special email address where people can forward messages they suspect to be spam or phishing messages. Then be sure to acknowledge their submissions. When people get positive reinforcement for their diligence, they become part of your “neighborhood patrol” team. They’ll keep their eyes and ears open for suspicious situations and report them. While people reporting spam rarely results in actionable information, it does increase people being on their guard for things that just doesn’t look right.
At the same time, let people know that they won’t be blamed or punished for an accidental or inadvertent action that leads to a security incident, such as clicking on a phishing link. People must be encouraged to report rather than hide incidents – even if they initiated it – so the events can be quickly investigated and mitigated.
Most people really do care about protecting their company. They want to do the right thing. The biggest challenge is making them see cybersecurity in the same vein as physical security. They wouldn’t leave the door propped open and leave their wallet right out on the desk. They might leave the door propped open but they’d take their wallet with them. Or, they might leave their wallet on the desk but they’d make sure that the door is locked. The same holds true for data security. Explain why they wouldn’t want to leave a sensitive database open and walk away from their desk. The database is like the company’s wallet – full of important stuff – so they should close the database and log off the application so no one else can access it without authorization.
Communicate, but don’t overdo it
Fun contests, incentives, awareness fairs, newsletters and other internal media campaigns all are good for bringing attention to security. Use group activities to raise awareness or reinforce a security culture. An individual’s identification within a group is a strong driver to behave in a directed way.
If you do a quarterly newsletter where you provide security pointers, try to tie it to what’s going on in the world or the company. Use real and relatable examples. One CISO says he did a “back to school” themed newsletter that he published in September. Everyone can relate to the excitement of “back to school” whether they have children or not; all of us went to school. His newsletter welcomed everyone back to the virtual classroom where they would learn about the ABC’s of, say, protecting login credentials. It was a fun way to tie the content to the time of year and get people to relate.
The messages of such programs need to be repeated in varying ways to help employees absorb and internalize them—but don’t do it too often, or people might tune you out. You want to make sure that people pay attention to critical communications from the security program when you need them to.
Security awareness training can’t be a once-and-done activity. The best programs engender a corporate culture of security awareness, meaning that people accept “this is the way we do things” and it becomes second nature.