When striving for success, you must have a definite purpose — something that stands above everything else in terms of getting results. As it relates to information security and, specifically, user awareness and training, what’s the main goal?
Is it to train everyone to the highest possible level so they can be a part of the security solution? Perhaps it’s to set your business up for success by controlling users’ actions through policies and technologies? Maybe it’s to check the security awareness training box that auditors look for? Looking at the myriad approaches and possible outcomes of a security awareness and training program, no matter how it’s done, it all comes down to one thing: behavioral changes.
There are many businesses out there going through the motions of cybersecurity training, but they have little to show for it. Sure, the box is checked, but people are still clicking on malicious links, opening email attachments and falling for the same old tricks that social engineers have thrust upon us for decades. I see it in practically every security assessment project I work on. If a phishing message is convincing enough, upwards of half (sometimes more) of users I target open attachments, click links and provide their network login credentials when prompted. It’s a simple yet disturbing exploit and it’s happening all around the globe — your business included — every single day.
Find the Gaps in Your Security Awareness Program
With behavioral changes as a core component, is your security awareness program focused on the right things — the things that will help achieve your overarching purpose and goals? Or are you doing things that are moving you further away from where you need to be?
Are there blind spots in terms of technical controls? Perhaps you need to rethink your policies? There could be reputation or credibility issues that are keeping you from selling security to those who need it most. In-depth, unbiased and ongoing security assessments can uncover these things and lead to improvements. The problem is that security assessments are often not in-depth, unbiased or ongoing, so the security challenges perpetuate.
What gaps and opportunities exist in your security awareness and training initiatives? There are plenty if you take an honest look. Would forcing more mind-numbing classroom sessions or videos get more people on board with security? Or would a more creative approach such as having an outside professional trainer be better? Ask your users what they’d like to learn and how they’d like to learn it. There are a lot of smart people outside of IT and security circles who can provide great feedback, so it’s best to have them on your side. Look at this as starting with a clean slate and improving security at a grassroots level rather than from the top down.
There’s often a gap in expectations. If you were to ask random employees in your business if they could explain what’s expected of them in terms of computer and internet usage, could they tell you? Give it a try and see what you find out. While you’re at it, ask them how IT and security can make their jobs easier. You’ll hear some great ideas. Note those ideas and implement them. When people see that their ideas are being used, they’ll have buy-in and will work to make even more improvements across the organization.
Next, how are bad choices on the part of employees handled? Is it a simple email reminder? Perhaps a useless retake of a cybersecurity training module? Does a manager sit down and talk about what happened and how it needs to be handled differently? Or is it IT or security’s job to reprimand employees who make mistakes? That’s often what I see and it’s entirely the wrong approach. Security awareness and training is an HR/management function that IT and security professionals just happen to help facilitate.
Instead of it being a you-versus-them scenario, ensure that management and your security committee are involved in the process. As strange as it may seem, adult employees are not all that different from young children when it comes to being disciplined. Rather than being scolded and embarrassed, if they’re to learn from their mistakes, they need to hear why they shouldn’t have done what they did (its impact on the business) and how they can better handle things next time.
Make Necessary Changes Sooner Rather Than Later
Whether it’s in business, your personal life or information security, you get what you focus on. Employees need to be set up for success. In an ideal world, this would mean they aren’t even provided the opportunity to make security decisions. Technical controls can help with this, but only to an extent. Eventually, employees will be presented with important security choices. Are your current awareness and training efforts going to lead them down the right path? You’ll never know until you scrutinize what you do.
Recognize that a core outcome of security awareness and training efforts needs to be changing behaviors. Get the right people involved to set expectations and then do what it takes to hit the target today — and keep hitting it over time. It’s the same old approach to minimizing employee-related security risks, but it’s the one that works.
Independent Information Security Consultant