By Dan Virgillito, Security Researcher for the InfoSec Institute.
Imagine if every CSO had the resources to keep sensitive information and business identity secure. Sounds like a dream come true, right? In reality, however, that still wouldn’t be enough protection. Even the best security program in the world can’t help you unless everyone in your organisation understands their role in safeguarding company resources. This requires prioritising security awareness efforts.
The success of such initiatives requires the involvement of individuals in all key positions, including the CEO, CIO, CSO and managers. The perspective here is that for security awareness efforts to yield fruitful results, they need to include everyone in the organisation. Aside from the obvious security betterment, everyone’s participation will enhance awareness programs in a number of ways.
However, security awareness efforts often end with unsatisfactory results, and budget allocations for this part of the security policy are further cut down. Yet, human negligence is the root cause of many breaches and is one of the most overlooked aspects of IT security. Also, the budget spent on security awareness in most organisations is seemingly misplaced.
As a result, investment in security awareness rarely yields a positive ROI. And in organisations where the main aim of security awareness efforts is regulatory compliance, it ends up being a mechanical process rather than a learning experience at the lower rungs of the organisation’s hierarchy.
Why security awareness is essential
The human element has been the root cause for some of the most damaging attacks on organisations in the history of cyber crime, so companies should start applying the appropriate budget and resources to security awareness as a protective measure. While this does not mean that you stop investing in additional technologies that are known to mitigate awareness failings, you need to address the root cause to reduce the majority of damages caused by cyber attacks.
Prioritizing security awareness efforts starts with integration of a culture that dramatically increases the effectiveness of these efforts. It should include the following aspects:
Setting goals: The management should set goals to achieve a certain level of security awareness. A benchmark can be used to determine the baseline, such as a security awareness survey. In the future, training can be conducted and the benchmark can be revisited to see if there is any improvement.
Adopting a centric approach: Security awareness efforts can be effective if organizations adopt a centric approach. Apart from centralizing goals and projections, the approach also requires collaboration with other departments who might be able to provide additional resources in organizing efforts together. For instance, the compliance department has a big influence throughout the enterprise and therefore may be able to make security awareness a component of other processes. However, you would have to look after the needs of cooperating departments.
Being creative: Don’t limit yourself to the conventional methods of inspiring awareness; add a creative element to it. For example, you can demonstrate how security is a part of everyday life through games, mock cubicles and animated videos. Tell staff members how their home WiFi and devices can be breached and how awareness can make a difference both at the workplace and at home. Another way of being creative is by allowing employees to break rules (that cause experimental damage); this would enable employees to get the necessary experience to understand the consequences of their actions.
Providing C-level support: C-level executives should know the importance of security awareness for the ROI. Security awareness efforts backed by C-level support translates into bigger budgets and more freedom. The IT department can play a major role by creating special materials for the upper-management, as well as digital content that highlights tips and relevant developments specifically to C-level executives. The most successful programs rely on many variations of awareness material to gather C-level support.
Once a security awareness culture is created, periodic evaluations should be conducted to measure the progress and make adjustments if required. Performance is measured using metrics such as number of incidents involving human error, number of employees following the rules, and the number of participants attending training sessions.
More efforts needed
The risk to enterprise security is constantly evolving. And in order to keep up, organizations need greater efforts than just building a security awareness culture. Meeting compliance requirements should be considered a bare minimum.
Efforts should be geared toward making employees recognize that they are the gatekeepers in protecting company confidentiality. Integration of concepts into daily roles can remind them of their protective roles.
For example, it can be illustrated to development teams that their applications/software will be exposed to a hostile environment when they enter production after deployment. Security professionals can also conduct multiple sessions quarterly to give the staff visibility and develop a contact point for needs surfacing in the future. Key concepts of information protection, avoidance, and privacy must be taught in these sessions.
Here’s a sample awareness chain that could lead to success:
Employees get clear guidance of threats – They have a clear concept of what failure would mean to their company and them as an individual – They know how to report attacks –They report the attack once it is detected – C-level executives get involved – IT department helps staff members to block attack gateways – The attack is analyzed and employees are educated about new vulnerabilities in future training programs – Employees take action to better protect their company’s information, such as following established rules to avoid malicious emails and adopting proper password usage – Employees are more readily aware of new threat developments and possible measures that can be taken to prevent them.
Your enterprise could follow a similar chain, but you need to address the following questions beforehand:
- What security awareness metrics you have available already?
- What are the low-cost solutions that may provide metrics?
- Are you gathering information, and, if so, how it is being used?
- Does your company own a platform that could educate employees on security awareness?
- Are some employees already aware of security threats and their own responsibilities? Is it worth to ask them to retake training sessions?
The importance of not repeating processes wastefully and getting awareness efforts right cannot be overstated.
To continuously achieve a positive ROI for your efforts, reevaluate the way you address security awareness, and how you can transform a major vulnerability into your best defense. Compliance should only be viewed as a by-product of these efforts for best results; the former should naturally follow.
Bottom line: You should prioritize security awareness with the right approach. If you are able to organize and manage the above-mentioned mission-critical aspects, results would speak for themselves. Larger awareness is the need of the hour, but it needs to be supported by efforts that go beyond meeting regulatory requirements.
For more information about the InfoSec Institute and their training courses, please visit – www.infosecinstitute.com