KnowBe4’s Chief Evangelist and Security Officer, Perry Carpenter, discusses how to protect your organization’s data from an often-overlooked risk.
Sponsored
Organizations set up all sorts of technology-driven safeguards to help them protect their own and their customers’ data. These investments are often well worth it, but they’re not enough. Technology safeguards don’t address one critical risk that every organization, regardless of size or industry, has: its people.
Let’s take a look at seven considerations for launching a security awareness program that accounts for the important “people component” of security awareness.
1. A Process, Not an Event
Most companies take time at least once a year to provide employees with training about how they can help protect the organization’s data. They pack people into a room and talk about security for a couple of hours and then check a box to indicate to the compliance office that they did it. And then they move on to the next thing.
Unfortunately, that’s not enough.
An annual in-service, a required webinar or even a great Cybersecurity Awareness Month series of events is not a security awareness training program. So, what is? A strategically considered combination of actions and activities based not just on information and policies, but on behavior.
2. A Focus on Changing Behavior
Security awareness is not information only. It’s information and behavior.
There will always be an information component to any security awareness program. If you’re a regulated organization, or you’ve got policies you need to expose people to, or if you need to expose people to the fundamentals of a scam or some critical nugget of information, there will be information that needs to be delivered.
But that’s really just a starting point.
An effective security awareness program will focus on changing behaviors. Testing is one way of doing this. For instance, running a phishing simulation that prompts the user to either click a link, report the phish, or do nothing and ignore the phish bait.
Here’s the thing: People need to be put in situations where they will have to make a decision that will determine if the organization gets breached or not. They need to be able to fail safely.
Simulations such as these are proven to help to change behavior over time. Frequent simulated phishing tests help build reflexes and muscle memory that drive behavior in automatic ways until those behaviors become habits.
At least every 30 days, you need to put employees in a simulated social engineering type of test, like a phishing test, to bring mindfulness to security protection actions.
3. Use Quality Communication Materials
What do the security awareness communication materials in your organization look like? If you’re like many organizations, they’re old documents that have been copied and recopied until the text is blurry and even members of the IT department don’t want to read them.
Security leaders will do themselves and their organizations a favor by committing to produce quality communication materials. Anything you put out in front of employees has to be as good as – or better than – what the organization typically produces. Otherwise, security will be seen as “less than” —an afterthought.
Take the importance of quality communication materials to heart. If you cut corners, if you strive for “good enough,” if you just quickly get stuff out there to say you did it, you create a bad reputation for security awareness and – by extension – your team.
4. Different Strokes for Different Folks
The problem is that different people process information differently. For instance, each of us browse through Netflix and gravitate toward certain types of content that matches our entertainment preferences. And as employees, we approach the information around us in the same way.
Different types of content, different styles, different lengths of time and a whole host of other considerations each resonate with employees differently. There is no one-size-fits-all piece of content. Relevant engagement is ongoing and individualized.
This can be accomplished through self-service learning options where employees can access the information and education they need, when they need it. Options can range from “Ask Me Anything” resources, entertaining webisodes and short webinars to policy collections and any number of other resources that are always available, easy to access and easy to consume.
Because there is no one-size-fits-all piece of content or approach, you also need to consider the learner’s role. Your customer service staff need different information than your IT staff in terms of security awareness. Training should be based on role and individual needs, not whatever training material is most conveniently at hand. People may have entirely different learning styles; some people respond better to three- or five-minute funny videos, others — executive-level staff, for instance — may find comic material condescending.
5. Focus on Moments of Need
Information should be delivered as close to the time of need as possible. The first need for security awareness happens when a new employee joins the organization. There are a wide range of other moments of need, depending on the employee’s role and function and the people they interact with. Other moments of need may include setting up a new password, sending a secure file transfer, learning the appropriate use of certain systems, etc.
What opportunities does your organization have to deliver just-in-time learning based on moments of need?
6. Multichannel Marketing Campaigns
How do companies communicate with their audience? Through multichannel marketing campaigns that use specific messaging for specific audience segments delivered through a wide range of channels to ensure awareness and repetition and, ultimately, to generate some type of action.
Your security awareness efforts should follow the same strategy.
You should have different types of content, being delivered at different times, targeting different audiences and communicated through various channels.
At the end of the day, you’re trying to change hearts and minds. That takes time and repetition.
7. Metrics, Reporting and Pulse Checks
To be effective at anything, we need metrics. Security awareness is no exception. We need to know where we are, how we’re doing and whether we’re closing security gaps.
There is also a need for surveys and assessments to know how well your content and training is resonating with people.
Think of these assessments as providing periodic pulse checks to help you understand some subtle nuances of what kind of culture you have within your organization.
Pulse checks help determine where the organization is at a given point in time. This information is subtly different than metrics because it gets into things that are harder to quantify, like opinion, frame of mind or preferences.
What Makes KnowB4 Unique for Security Awareness Training
Established in 2010, KnowBe4 is the world’s most popular security awareness training and stimulated phishing platform, servicing more than 35,000 organizations and some 25 million users. We use AI and machine learning to help systems get smarter by better understanding the nuances of how different people learn. Pluggable integration with traditional security tools is offered to provide behavioral insights. Customer-generated, real-world phishing examples are folded into our simulation platform. Communications are adapted based on the ways individual employees behave, the types of risks they can expose the organization to and the inherent risks that relate to their role in the organization.
About KnowBe4
Published Date: 24 August 19
CISOs and Information security professionals across the industries agree on one key component of any security program, which is the user awareness of security policies and best practices.
Security is as strong as the “weakest link” in your chain. The human factor considered as the challenging component in the security ecosystem, and the awareness programs aimed at building resiliency among the users to address this key risks in any organization.
Although past security incidents prove that many of the security incidents are originally a combination of many factors, human errors or interests did have its role to play in most of these.
So how should organizations address this risk?
Is it by educating and enabling the users with the skills required to handle sensitive information and systems in a secure manner or by limiting the user dependency on the main operations and activities?
It is an interesting debate among the security professionals for a while.
Although awareness programs have an important role to play in the maturity of the security environment in an organization, some of the experts feel that there is a possible chance of overlooking the actual causes, due to an over emphasis on this factor.
They allege that falsified blames on human factor on the losses associated with security breaches does not address the causes of the technology and process ineffectiveness ignored.
What is the truth in this? Can the organization just depend on how security-aware their work force is? Can the banks leave their financial stability to the risk of any employee making a mistake or a fraud?
Let us analyze the key elements of any security ecosystem and the three building blocks of a security strategy.
The system consists of People, Process, and Technology. Building a resilient workforce and customer base is vital to achieve security objectives and to reduce the incidents or at a minimum, the impact of security incidents.
However, at the same time, the program requires equal or more efforts to define and refine appropriate processes that are embedded with security in it and also right and effective security technology identification and deployment.
Best efforts with a collective approach are required to raise security awareness among employees and customers. Effectiveness achieved if the program designed, developed, deployed and monitored in the right manner.
The design must be well thought out and taken into account the business strategy, regulatory requirements, organizational culture, current level of awareness, and techniques. Baselining the awareness level is a major step in the program rollout.
Conducting a phishing email tests or quizzes/surveys, past financial losses due to information security failures are some of the KPI baselines to assess the success of the program.
If the Key Performance Indicators (KPIs) can be tangible and in financial terms, the support, buy-in and budget availability for the program is easy to obtain.
Design
- Identify the legal & Regulatory Requirements
- Identify the stakeholders
- Identify the business requirements/Needs
- Determine the organizational goals, risks
- Align with Business, IT, Information Security, Marketing & Communication Strategy
- Conducts the scope and needs assessment to understand the training requirements
- Decide the program techniques and target audience
- Decide the type of metrics and Key Performance Indicators.
- Target audience
- Metrics and KPIs
Development
- Form a team, identify the stakeholders, roles, and responsibilities
- Identify the security awareness metrics, and Key Performance Indicators (KPI) – Operational/Delivery and also Lag Measures (Outcome)
- Develop a Communication & Marketing Plan for the Program
- Content Design, Development, and Schedules
- Identify the mode, method, and techniques of training and awareness
- Create a baseline of the security awareness status
- Develop metrics, and KPIs
- Operational/Delivery KPIs
- Lag KPIs (Outcome)
Deployment/Execution of the Program
- Run a marketing campaign to promote the awareness program
- Establish a proactive and comprehensive communication setup
- Engage with the stakeholders – Communication Department, Marketing Department, Human Resource, Compliance, and Events Management
- Setup a 2 or 4-week Awareness Campaign
- Create a momentum for the program, by quizzes, prizes, brochures, posters, online training, onsite
- Run the campaign based on a theme
- Record the feedbacks and improvement areas.
- Event Management
- Run the campaign based on a theme
- Quizzes, prizes, brochures, posters
- online training, onsite
- Newsletters, Intranet, Emails, SMS
- Reward and incentives
- Feedbacks and improvements
Continual Improvement
- Measure the metrics, performance indicators
- Review the positives and negatives
- Identify improvement areas
- Take necessary actions to correct some causes
- Continue with the activities for the rest of the year, based on the pre-planned schedule
- Lessons learned
- Improvement areas
- Corrective Action Plans
- Continue the Program
Critical Success Factors
- Customized and targeted training and awareness program and content
- Executive Management support and buy in
- Key Stakeholder Engagement
- Interesting and innovate techniques and approach
- Customized and focused program and content
- Executive Management support and buy in
- Key Stakeholder Engagement
- Interesting and innovate techniques
- Holistic Approach
- Measure, Improve – KPIs
- Show positive approach
- Rewards and Incentives
- Communicate Rightly
- Promote and Market
So does that solve the whole dilemma?
Security Awareness program should be on a continual basis and must be in a very crisp, clear and straightforward manner addressing the target audience in the right mixture.
Overdoing the program or too much communication or information could be detrimental, and make the audience to lose interest. Ideally, engage with the communication department to plan the method and frequency of communication. Similarly, the marketing department can support to market the program and its components to the audience in a very effective manner.
Rather than very static and one-dimensional emails or online/onsite training, interactive sessions with question and answers and quizzes with prizes and certificates could encourage more participation and commitment from the audience.
Once the Information Security Department is ready to demonstrate the business value of the program, the budget requirements for the program can be easily justified.
However, although information security awareness improvement is a critical component of the whole control family, this should be supported by consistent and efficient security-embedded process and adequate security technology.
The right combination of people, process, and technology is the secret behind a mature security posture for any organization.
Instead of a single point of failures, even though an employee or customer makes a mistake or attempts to violate the security policies and controls, the security-savvy processes or the automated controls shall prevent the materialization of the risk and protect the organization from losses. The same could be the case in the failure of a process or a technology component.
Although 100% security is a myth, the objective of a CISO or an Information Security Organization should be the manage the risks in the best effective manner and mitigate with an adequate control based on the risk rating.
The remaining residual risk addressed by having a well-tested and trained incident management program and business continuity plan.
These all should be in alignment with the corporate Risk Appetite so that all the investment in information security is by organization level cost-benefit analysis. The risk evaluation based on financial, regulatory or in certain cases may be just on the fact of the reputational damages.
Security Awareness program should be on continual basis and must be in clear and straightforward manner addressing the target audience in the right mixture. Overdoing the program or too much information could be detrimental, and make the audience to lose interest.
Ideally engaging with the communication department to plan the method and frequency of communication and getting marketing department with their support to market it appropriately is key factors to make the program a huge success.
Conclusion
Information Security Awareness Program is a fundamental component of any Information Security Strategy and ecosystem, but at the same time, ensuring the right processes and effective technology controls shall complement it.
Well designed and tailored Awareness Program engages the audience with innovating and interesting techniques and up-to-date and relevant content.
Buy-in from Executive management and other key stakeholders is crucial to the success of the program, and the success of the program explicitly demonstrated through Key Performance Indicators.
Illyas Kooliyankal is a well-known Cyber Security Expert, currently working as the CISO at a prominent bank in UAE and serving as Vice President of ISC2 (UAE Chapter). He has won many international awards, including the IDC Middle East CISO Award, ECCouncil (USA) Global CISO Award (Runner-Up), ISACA CISO, and Emirates Airlines CISM Award. He is a well-received keynote speaker at many international conferences in the USA, UK, Singapore, Dubai, etc.