The second week of National Cyber Security Awareness Month (NCSAM), held every October, focused on creating a culture of cybersecurity at work. The aim is to highlight the current threats that organizations are facing and promote a security culture that will help employees stay safe online and improve the organization’s overall security stance.
Security Intelligence asked Mike Saurbaugh, a faculty member with IANS Research, a course developer for Excelsior College and an independent consultant, to explain the importance of raising security awareness in an organization. He also gave his top tips for better engaging employees in an awareness program.
The Importance of Security Awareness
Saurbaugh stressed that developing a comprehensive security awareness program should not be considered a destination, but a journey. It requires dedicated oversight and should be ongoing, with engaging exercises. It should certainly not be seen only as part of a compliance or an audit initiative since that is likely to result in ticking off checklists rather than implementing any lasting behavioral change.
Executive buy-in is essential to drive a culture of security throughout an organization. A top-down approach will help to underline the importance of security for the organization, but it will still be necessary to explain to employees why security awareness is needed, what the main risks are and how reducing risk will help the business. Employees need to understand the part they play in achieving a common security vision — but in an engaging way, not one that is condescending or demeaning. Threatening repercussions such as termination if an employee fails should be avoided because this creates mistrust and fear.
The Top Five Tips
The following are a few of Saurbaugh’s top tips for engaging employees with a security awareness program.
1. Find the Motivation
Security awareness is important for all aspects of life, not just in the workplace. This is especially true in today’s always-on culture, where people are routinely exposed to phishing, password challenges, data theft and other social engineering tactics. By raising awareness of security issues and concerns in a wider context, such as how to better protect their families and personal finances, employees will be more engaged and their emotional interest will be sparked.
Creating an air of healthy competition will raise interest in the awareness program, especially where departments are encouraged to compete against each other for the top spot based on factors such as which caught the most phishing emails or reported the most suspected incidents.
Employees will be more engaged if the program is fun to take part in. For example, by using gamification techniques for personnel in security operations centers, not only do participants have fun while honing important incident response skills, but they will become more adept at protecting the organization in the process.
3. Form Security Awareness Allies
Promoting security awareness doesn’t have to be the sole responsibility of the security team, which is often understaffed and time constrained. By getting other departments or branch locations involved, individuals outside of security can help to be the eyes, ears and voice of the program.
4. Public Recognition
Publicly recognizing success is key to making employees feel valued and can easily be done via the intranet, newsletters, internal marketing materials and general recognition from management. These methods may be preferred over monetary incentives such as gift cards or extra paid time off. Employees will come to expect that such rewards and may lose interest should they be suspended, perhaps because the budget for such incentives is withdrawn.
5. Keep It Simple and Aligned to the Business
While crucial to the business, security is certainly not the main reason most employees were hired. Therefore, focus on specific incremental goals rather than trying to be all-encompassing and attempting to achieve too much too fast. Identify the behaviors the organization wants to promote and align this to business results so that employees can understand the value security has in protecting the overall organization.
Finally, Saurbaugh points to two nontraditional resources that will help security teams better understand how to drive behavioral change as applied to elements of the awareness program. First, the book “Influencer: The New Science of Leading Change” stresses the need to clarify measurable results, focus on vital behaviors and use sources of influence in order to drive change.
BJ Fogg’s Behavioral Model considers the causes of behavioral change and suggests that three elements — the motivation, the ability and a trigger — must all converge in order to achieve the desired change. While not directly related to security, these two resources will be a valuable aid for better understanding behavior and how the need to drive change will impact the success of the security awareness program.