By Kris Tanaka
SecureWorld Media
"People are the weakest link in securing intellectual property and protecting sensitive data within every enterprise," said Dan Lohrmann, chief strategist and chief security officer at Security Mentor. "They are also your organization's greatest asset."
Yes, all it takes is just one click to let the "bad guys" in. On the other hand, all it takes is just one action to keep the bad guys out.
Imagine what would happen if you were able to help your colleagues spot that phishing attack, or help them refuse to hand over personal information connected to that suspicious query or report that strange file on their hard drive. The result? They would become a proud member of your company's "cybersecurity superhero team!"
You have probably heard the saying, "It takes a village." Hillary Rodham Clinton used the African proverb for the title of her book, in which she focused on the impact individuals and groups outside the family have, for better or worse, on a child's well-being. This same sentiment can be applied to cybersecurity - it really does take a village, or a team, to protect your company and keep your data safe.
"Like a doctor explaining the behaviors needed to stay healthy to his/her patients or a nurse describing physical therapy steps that are necessary to recover after an operation, security pros need to educate employees regarding how to protect themselves in cyberspace," Lohrmann said. "End users can make well-informed decisions to reduce risks to data and networks. Therefore, a well-organized security awareness program is essential."
In Government Technology, Lohrmann lists "Dos and Don'ts" that security professionals should consider when trying to build or improve security awareness programs:
- Don't stay with your status quo. A cyber awareness program with content that hasn't been updated in years is a waste of an employee's time.
- Don't rely on videos or PowerPoint slides as the primary channel for awareness programs. Several studies found that interactive material that engages end users is more effective in achieving results than just using a series of awareness videos.
- Don't confuse cyber awareness programs with security training. Security training involves a finite set of knowledge and usually tests for short-term comprehension. Security awareness programs try to change behaviors of individuals - it is a continual process.
- Don't forget anyone, and don't make security awareness an optional extra. The entire enterprise needs security awareness.
- Don't focus solely on compliance or make awareness just a "check the box" exercise. No doubt, you need security awareness programs for PCI-compliance, HIPAA-compliance, complying with federal regulations or other compliance reasons. But cybersecurity awareness needs to be a process with constant improvements and adaptation.
- Do ensure executive support and management buy-in. End user awareness must have the full and vocal support of top executives and the middle managers in order to be successful.
- Do make it fun - use gamification and interactive content, if possible. Brief, intriguing, "sticky" content is key. The more relevant and timely, the better.
- Do include posters, newsletters, email tips, blogs and reminders, National Cybersecurity Awareness Month and more. Different people learn differently. There are numerous sources to help provide new and refreshing security information
- Do focus on changing behaviors. Relate cyber awareness to personal life, family and home. Our goal is to change culture and improve security. Many studies have shown that employees pay more attention if the awareness materials can be used, and even shared, outside the office - at home with family and friends.
- Do solicit end user ideas, encourage feedback, measure success and growth of program. Make sure that your awareness program is measured. Ask for new ideas and suggestions to improve. Encourage creativity. Provide mechanisms to get real-time data from staff.
Are you looking to improve and strengthen your company's security culture? Don't miss Lohrmann's upcoming SecureWorld Plus course, "Building a Successful Information Security Awareness Program," at SecureWorld Boston on March 29-30. Click here for more information and to register for the event.