Originally Posted by TechGenix – via techgenix.com – October 30, 2020
Improving the security culture within an organization is a challenge that boards, senior business executives, and IT security professionals are constantly grappling with. Technical controls are certainly important in making sure systems are secure. But as always, humans remain the weak link. End-users sharing passwords, plugging virus-infected USB drives, or clicking links to phishing sites, are just some of the challenges IT security teams struggle to contain each day. Culture change is a crucial factor in having IT controls work as they should, and security programs are adhered to. Still, driving culture change across an organization takes more than just a PowerPoint presentation with some catchy bullet points. The foundation of effective culture change is a robust IT security awareness program. The better your staff understands their responsibility to enterprise IT security, the lower the number of data breaches you’re likely to experience.
Here are a number of practical ways you can increase IT security awareness for your enterprise.
1. Start at the top
Humans are creatures of habit. Once we are used to doing things a certain way, it’s difficult to contemplate a different path. In organizations where routine is seen as creating predictability, stability, and comfort, an awareness program that attempts to change existing culture will run into formidable headwinds.
The fastest way to break the cultural resistance is to get the board and senior leadership buying into the security awareness campaign. Co-opt them into the program through brief, high-impact boardroom presentations. Emphasize how cyberattacks affect the bottom line. Enumerate the tangible benefits of improving awareness.
Your goal is not just to get the C-suite sending out a broadcast email outlining the importance of the awareness program. It’s also about demonstrating through their own actions that they take awareness seriously. Once employees begin to see the leadership as committed to IT security awareness, the entire organization will rapidly align with the new normal.
2. Prioritize high-risk groups
An IT security awareness program must, of necessity, be enterprise-wide. Your security is only as strong as the employee with the least understanding of IT security risks and their responsibility. Nevertheless, an awareness program will inherently have a limited budget. That means you have to direct resources where they are going to have the greatest impact.
Certain departments and employees have a higher-than-average risk profile. For instance, finance, HR, and IT departments are a major target because they are privy to large quantities of sensitive information. Similarly, C-suite executives will be attacked due to their high-level authorization across a broad array of confidential company information.
If a person in a high-risk department or role falls for a phishing attack, the repercussions could be catastrophic and inflict an enormous blow on the organization’s finances and reputation. Prioritize IT security awareness and training programs for these high-risk individuals, including actionable tips on preventing or responding to a suspected cyberattack.
3. Leverage storytelling
Let’s face it — IT security isn’t the most exciting topic. It can be especially boring for people who are neither geeky nor tech-savvy. It’s easy for your message to be lost in complex jargon. While the program may appear thorough, it falls short of the objective if it isn’t driving employees toward adopting positive behavior that protects enterprise systems and data.
Find ways to make security awareness classes and messages exciting and relatable. Stories are an especially powerful technique for capturing audience imagination and pulling them into the conversation. They create an emotional connection that makes it easier for the reader or listener to remember. Story ideas could be quirky personal anecdotes, dramatic internal events, or eye-popping news headlines. You can never go wrong with injecting a little humor, but only as long as you do not overdo it.
4. Prepare employees for a data breach
There’s no certainty over when and where the next cyberattack targeting your organization will occur. A single attack could compromise millions of customer and employee records. In the aftermath, closing the loopholes and fixing the organization’s tattered reputation can gobble up sizable resources. It’s therefore prudent that you brace for a data breach beforehand.
Your awareness program must include a section that details what staff is required to do when they know or suspect a data breach has occurred. The response plan should seek to reduce reputational or financial damage, enhance stakeholder confidence, improve organization structures, and enlist staff as assets in the fight. The security awareness program must include dry runs of a data breach where you test whether staff remembers their role in their response to a breach.
5. Identify security awareness champions
Your organization may have an IT security team charged with overseeing the implementation of and compliance with the security awareness program. Still, this team cannot be everywhere, though. You can extend its reach by identifying and appointing IT security champions across the organization. They don’t have to be technical experts or have a background in IT. They should, however, be passionate about security and committed to modeling positive behavior.
Champions are closer to their departmental colleagues and would therefore be a relatable representative of an awareness campaign. They ensure that every key decision made in the department’s policies, procedures, and processes is consistent with the organization’s overarching IT security stance.
6. Bring along suppliers and vendors
Who can hack into a multinational bank’s IT systems? The complexity of defenses means few have the knowledge, time, or resources required to wage a persistent attack against such a formidable defense. Hackers soon realized that it was far easier to penetrate these defenses via a trusted third party. Suppliers, vendors, and partners proved to be the low-hanging fruit.
The massive hack of Target’s customer records in 2013 occurred via a vendor’s compromised credentials. Your vendors and suppliers may very well be your weakest link if they do not subscribe to the same robust security policies you do.
Identify the vendors that are high risk based on the sensitivity of data and access they have. Conduct third-party risk assessments every one or two years for these vendors. The risks assessment should include an evaluation of their security awareness program. At the minimum, the program should cover roughly the same areas yours does but the more, the better.
7. Review and modify the security awareness program regularly
The threat landscape is never static. New vulnerabilities and malware are unearthed each month. Hackers are constantly exploring ways of breaking through cyber-defenses. The components of enterprise technology evolve. Smartphones were only a small part of enterprise security a decade ago, but they are a big deal now.
So, awareness strategies that were effective five years ago may not necessarily work as well today. Your security awareness program must evolve in tandem with the changing nature of threats. There may also be changes in security and privacy regulations that require a shift in what your awareness program focuses on. The EU’s GDPR forced sweeping changes in the organization’s security policies.
Review both the threat landscape and staff readiness to identify gaps and weaknesses in the program. Change your awareness program to ensure your staff is regularly appraised of the things that will prevent cyberattacks. If your awareness plans fail to change with the times, you’ll eventually end up with employees who are an easy conduit for a major cyberattack.
Security awareness makes employees a security asset
Employees are often the weakest point in your security cordon. A well-thought-out IT security awareness program makes your staff an invaluable asset in the battle against internal and external attacks.