THANK YOU FOR SUBSCRIBING
Speak with a group of CISO’s after hours and you will inevitably hear war stories about how their state of the art defenses were bypassed because a user in [insert non-technical department] fell for a phishing email. These stories naturally turn to quips about how their users know nothing and are their biggest risk. In that statement there is one thing that is true; users are your biggest risk… But that is not their fault. So how come this age old anecdote hasn’t seemed to evolve very much over the years?
User Training & Awareness hit the market over a decade ago as the silver bullet for this problem. For a fairly low cost and a little effort, security teams could now pick training materials, send phishing emails, schedule new hire and yearly training, and automatically reprimand users for failing a campaign or not taking a required training.
Recently, I have heard of organizations abandoning these programs as they have been identified more as a source of distrust than any real benefit. For those of us that haven’t given up hope on these programs, they have been more about hitting the compliance checkbox, but not necessarily moving the security needle.
“Moving the security needle is not just a training and awareness issue, it is a cultural issue. A culture that leaves the corporate walls and needs to be adopted in our interconnected personal lives as well”
Moving the security needle is not just a training and awareness issue, it is a cultural issue. A culture that leaves the corporate walls and needs to be adopted in our interconnected personal lives as well. Security is, unfortunately, not a part of many peoples’ primary focus. The mindset of “that will not happen to me” is still prevalent even after all of the news coverage and knowing a friend or family member who was a victim of cyber-crime.
So how do we move from the shadows and help weave security into the culture of the company?
-Embed training & awareness into your Cybersecurity program. This starts with hiring passionate practitioners that are ambassadors for your program. Passion and excitement are contagious, and this helps convey the message.
-Get Interactive. If office life is still a thing for you, occasionally setup a booth in a common area with some activities and representatives from your security team to answer questions. This environment is more disarming than a formal training and has the ability to reach the most people in an engaged manner. Pro tip: include a raffle with cyber branded prizes.
-Host an outside expert to talk to your employees. FBI and Secret Service Agents from your local Field Office are usually more than happy to provide a briefing to both employees and executives about current threats and what individuals and corporations can do to stay safe. As a bonus, this is an excellent time as a security leader to know who your local contacts in law enforcement are.
-Treat your executives and key decision makers differently. While all users are a “risk”, your executives and decision makers are typically a more valuable target both personally and professionally. In addition, they are also responsible for supporting and funding security initiatives and may also be a part of the Incident Response team (will the company pay the ransom or not?). Executive briefing sessions should be held periodically throughout the yearand tailored for this audience.
-Host small Lunch & Learn sessions. These sessions should incorporate tips and strategies about what people can do to stay safe online, at home, and in the office. Focus on what a security mindset can do for them, not only what it can do for you.
-Use phishing campaigns for more than just testing users and reprimanding them. Collect metrics to identify who are your high risk users, what days/times of day are people clicking on malicious emails, what types of malicious emails are most susceptible (i.e. attachment or link), and themes of emails that are most likely clicked. From here, you can build additional technical controls like removing certain access for higher risk users, leverage browser isolation, or building out End User Behavior Analytics.
-Shift from the office of “no” to the office of “know”. Cybersecurity is often (and rightly so) the department that is called when a program can’t be installed, a website is blocked, or there is unusual or unexpected impact to the technology experience. Sometimes this is not due to Cyber, but often times and for good reasons, it is. Instead of blocking users outright, incorporate some training and awareness into the pop-up’s or block-pages. Explain why the site is blocked and what could have happened if it was not blocked. If the user still feels this is wrong, implement an efficient workflow for reporting potential false positives to be handled in a timely and secure manner.
Your employees are with the company for the long-term. It is time to shift the focus away from low effort automated training and awareness, and focus on incorporating a security culture. For little more than a bit of time, your investment will pay dividends.