According to the annual report issued by Verizon and IBM, 85% of breaches are due to human errors. Employees are at the same time the organization’s weakest link and its first line of defense.
How many times have you sat next to a person in a train “unaware” of the sheer amount of information they were displaying. May they also have left their laptop opened without any surveillance? Too many times, I’m sure.
Employees need to understand that they’re the preferred targets of cybercriminals because they’re the most straightforward way in according to them. Most of the time, employees already have access to the information that cybercriminals want, and they consider them as easier targets, easy to manipulate, than having to find exploits. More basic attacks like spear-phishing are growing sharper and more believable than your regular mail from amaz0n.ng
Cybersecurity is thus needed to protect the systems and data potentially or effectively put at risk by breaches. As the threats and attack surface grows, people standing behind the screens in security operations receive more and more alerts.
However, employees often think that cybersecurity exists solely to make their jobs harder besides not being part of their job. The link between their behavior and cybersecurity is not existent.
So, besides the continuous strengthening of the architecture to adapt to the evolving threats, one way to increase efficiency would be to educate employees. You have to make them understand their cybersecurity roles and responsibilities. This is cybersecurity awareness.
To us, there are numerous points to address when talking about security awareness in organizations:
- Even though cybersecurity is at the core of every business today, its efficacy is dramatically hampered without a sense of security awareness in a given organization;
- This is why you should, if not already done, build a culture of security in your organization;
- Security awareness and Security operations have to work hand in hand to achieve success;
- Eventually, a mature and intelligently built Security awareness culture would increase the impact and efficiency of Security Operations.
Cybersecurity is necessary but inefficient if there’s no culture of security in your enterprise
According to the CISA, cybersecurity is about protecting networks, devices, and data from unauthorized access or illegal use and the practice of ensuring confidentiality, integrity, and availability of information. Its implementation is usually based on the following three elements:
- Knowing what needs to be protected – and why – by identifying critical information assets;
- Knowing what information assets need to be covered by developing an in-depth knowledge of the risk environment;
- Protecting information assets for as long as they exist by creating protection strategies and mitigation plans.
However, as said above, one central element in every cybersecurity planning is often the one on which cyber professionals have the most negligible impact: humans. Indeed, far too often, security initiatives fail not because of technology but because employees think of cybersecurity as an entirely independent and closed field in their enterprise.
This can seriously impede all efforts undertaken. For instance, your teams could put all their efforts into securing the firewalls; it would be rendered useless if one employee sets his password as 1234. Even with a two-factor authentification is enabled, what if some employees don’t lock their smartphones and lose them? Examples can be multiplied to infinity.
To succeed in implementing new technologies in your cybersecurity architecture, you must inform people what’s in it for them and how they can help in this task. Employees can benefit from cybersecurity in numerous ways, such as a safer and more productive work environment, avoiding the fear of personal information being stolen and misused, and business survivability.
You can sum this up with the concept of Security awareness. You would define it as the understanding that something or some situation exists and how it is perceived.
To that end, you need to shape beliefs and attitudes on security and guide employees to adopt behaviors that support cybersecurity. Doing so should help motivate them and understand how they can benefit from improved cybersecurity across the organization.
That’s why you should infuse a security culture in your organization
Since almost every task made by employees in today’s organization relies on technology and can be exploited, cybersecurity awareness should be an everyday part of the business. That security must apply to everyone in the organization. Every link in the chain is important.
That’s why you have to build a holistic approach when it comes to security awareness. No one can be left behind. You have to educate everyone that the first risk is human, in your own home. To that end, you should implement security programs to infuse a culture of security and increase awareness among your ranks.
Such programs would manage human risk through a four-step strategic process:
- Identify the organization’s top human risks;
- Define the key behaviors that would reduce those risks;
- Communicate to, train, and engage your workforce so they adopt these behaviors;
- Measure the ongoing improvements.
A helpful remark here. New management has something right when it says that learning new things, especially complex ones, should be fun. So, keep it playful and short.
Employees tend to have toward security protocols and issues a relatively distant attitude. Often, employees are viewed as malware-nest or spam-clickers. At the same time, security teams are the only sentinels of doom, cleaning up employees’ messes (that’s not wrong if you allow me! But it’s in these moments that diplomacy is necessary). Still, establishing a solid security culture requires changing people’s attitudes from resentment to understanding and, ultimately, compliance and cooperation.
Have a top-down approach. Start from the top of your company. Top-level employees have to show the way. Attitudes about security won’t change if people think some avoid what they see as a burden on their operations. I know that executives are often the least cooperative about changing their habits, but this is how policies are deepest internalized.
You’re here to educate, not impose harsher rules for the sake of it. I know that the hard way often seems faster, but faster doesn’t equal better. It involves helping employees to understand what’s at stake. Nothing prompts behavioral change like having a clear understanding of the reasoning behind desired behaviors. For employees, understanding how data security affects their personal lives and the lives of their loved ones can generate aha moments that drive positive security behaviors.
Responsibilize your agents. How employees perceive their role is a factor in sustaining or endangering the security of the organization. If employees feel data security is the sole responsibility of IT, they will fail to understand their role fully.
Cognitive empathy is critical. The technical community often dismisses security awareness because they already know the risks. Some even use confidentiality filters on their screens and encrypt their drives with VeraCrypt. Telling them about awareness seems redundant, whereas most regular employees would be shocked when learning the means attackers use to breach their company. Again, cybersecurity is a matter of everyone; a well-trained and security-aware workforce is a robust line of defense.
Combine different techniques to achieve your goals. Hard and soft regulations are both applicable. Don’t crowd your teams with endless rules; try to use other means. Nudging is more and more used to influence behaviors. Positive reinforcement, like congratulations or positive feedback, often delivers better results than harsher rules. For instance, instead of shaming employees for clicking on a phishing mail, try to take the opposite path by celebrating “Employee of the Month” for employees who don’t fail phishing tests.
To remedy these risks, you would then try to find the key behaviors linked to these risks mentioned above. For phishing, it would be the “5 seconds rule”. Is this mail coherent with the ones I’ve received from the same person? What’s the exact sender address? Of course, spear-phishing tends to be harder to decipher, but simple checks like these would save you a lot of alerts, trust me. The same goes for credentials stealing. Most of the time, it relies on only a handful of reasons: weak password/common password shared between personal and professional uses (which tends to grow as BYOD is growing in a corporate world friendlier to remote work) or shoulder surfing.
Educating the employees on what makes a strong password, the limits of BYOD, or always keeping an eye out when working in public places is an excellent way to limit the risks drastically. Conduct tests monthly, simulate fake ransomware attacks. A black screen with a skull in the center is sometimes a good lesson, no need for shaming. Celebrate those who succeed, help those who fail. Remind yourself that you’re in this together. Sustaining a good atmosphere is paramount.
Security Awareness Teams have to sit right next to Security Teams
We know that security awareness can be perceived as an entertainment business by security operations. It would be like explaining why you have to wear a bulletproof vest to a soldier. That’s why, when asked about what security awareness programs are for, security professionals often say something like, “Oh, these posters and useless pieces of training?”.
When having to explain niche things to others, technical people often have this bias. “They should already know it,” “this is wasted time.” Such elitist behavior is relatively common to all niches or specialties when it comes to explaining it. However, we’ve learned that this is the wrong way to evangelize people. Engagement is important.
Try to reach out to a company running a more mature awareness program. You are likely to get a very different answer from their security team. They would answer, “The awareness team is helping simplify security for us and effectively manage our human cyber risk.”
They know that cybersecurity is not just about technology; it’s also about people, especially as they are among the top risks to organizations and one of the fastest-growing. Security awareness is part of and an extension of the security team to effectively manage the risk.
This posture isn’t so disruptive. When you think about it, security operations are already split between different teams, with different specialties to manage different elements of risk, such as Vulnerability Management, Security Operations Centers, or Incident Response teams. From this point of view, Security Awareness is another piece added to the puzzle, focusing on the human side.
Integrated to the global security operations, security awareness teams would have different missions, as stated above.
Identify and prioritize risk. Awareness teams would partner with security teams to better understand and prioritize your top human risks and the key behaviors that manage them. Of course, when dealing with multiple risks, you have to prioritize. You can’t defend everything. Some of them are more dangerous than others. It’s also about not overwhelming your employees with too many requirements, tasks, processes, and responsibilities. Awareness officers have to keep security simple.
Communicate and train. Once the key behaviors are identified, you need to prepare your employees for changing those key behaviors. To that end, Awareness officers need to be transversal and partner with other departments (marketing, communication, and human resources). Awareness jobs are people jobs; officers need to enjoy working with others, be passionate about helping people. It’s the total opposite of cybersecurity as traditionally conceived by cyber professionals, and it’s good. Almost every time, the solution resides in finding the middle ground between two opposite conceptions.
A final touch for security awareness teams is the measurement of their work. Measuring the impact of your programs and telling about it to the executives in business terms or other employees is excellent for visibility and legitimacy. You could use metrics like quizzes or test results done in playful ways, analyzing the results of phishing/fake malware campaigns, dividing these campaigns results into different teams and/or according to the level of risk roles. Ultimately, you could synthesize all the metrics assessed and render them in a global overall security score.
Eventually, a mature Security Awareness team would increase the impact and efficiency of Security Operations
Let’s sum up what we’ve said supra. Culture is about people’s attitudes, perceptions, and beliefs. Culture is like clay. It’s hard to shape once it’s solidified. You need patience and dedication to break bias, to make your targets change their first thoughts about a topic like cybersecurity.
Still, building a solid security culture would be of immense value to your whole company and specifically for your security teams since it would alleviate some of their burdens.
A Security Awareness team, collaborating with Security teams and beyond, a transmission chain of some sort, is the best way to success. Officers would build the drivers of your security culture by editing hard and soft policies, activities and training, processes, and changing how your security team communicates and enforces with the rest of the company.
Instead of the too often seen complex, overwhelming, or intimidating security policies communicated and enforced by an arrogant or punitive security team, you need relatively easy-to-follow, common-sense policies mixed with nudges, sanctions, and rewards. Most of all, an engaging and supportive Security Awareness team.
As such, people would feel safer when reporting incidents, more inclined to include security as part of their job, and, as a whole, create a shared belief that security is vital in your organization’s success.