In discussing the best approach to take for the programme at an information security and awareness programme for the U.S. Secret Service it became clear that we needed to change behaviour, rather than just aim to meet a requirement. So how do you change behaviour?
In a room full of information security professionals, you would undoubtedly find one unifying opinion; that end users are the most common security vulnerability. It might seem like a cliché, but an organisation is only as strong as its weakest link. Cybercriminals are well aware of this and regularly take advantage of the human element.
Approaching users, the right way
Despite years of education, end users still download questionable email attachments and click hyperlinks without paying attention. Attackers have known for a long time that user behaviour is a vulnerability.
Hackers are creative and persistent so it’s no wonder they are able to pull of impressive social engineering tactics. Almost all of the well-known corporate and government intrusions over the last few years have either had social engineering at the heart or as a contributing factor.
Most recently, a Google Docs attack used phishing tactics to gain access to users’ email accounts before forwarding itself to other users.
The point remains, it’s about changing behaviour rather than meeting a requirement. Any half-hearted approach to educating users will have poor results. And yet, many organisations are still choosing to approach security with a check box mentality.
It’s all too easy to post a boring information security course on an internal system. That’s the box ticked, but it’s unlikely to be truly effective. Like any skill, regular training is needed to keep staff up to date on the latest threats.
Persistence is key
With an ever changing cyber security landscape it can be difficult to decide how often users should receive training. Don’t schedule training annually, instead be prepared to offer regular updates as new security advisories are announced.
Think about the best way to distribute this information to users and provide constant information, reminders and recommendations.
Keep it relevant
Different users will have different requirements, be sure to recognise the different demographics that might pose unique risks to the organisation. It’s all too easy to focus on role-based training, regular users vs. privileged users.
Think instead of varying user needs and arrange training accordingly. Mobile workers, senior executives and IT administrators will all have different requirements.
All training is made more effective when the user knows exactly why they are doing it. Every user in your organisation needs to be aware of their role in security, make hem understand how vital they are.
When building a course keep in mind the end user, some of the most effective training will also take into account how security can affect their home life as well as their work one.
Strengthening the weakest link
Every chief information officer and chief information security officer should reflect on this question: How much time and effort should be devoted to training and educating users?
An average employee works more than 1,700 hours per year. It is well worth the investment to devote a few of those hours to cybersecurity awareness.
Ultimately, people can be an organisation’s strongest asset, or weakest link. This is a sliding scale that we completely control, and the quality of your information security training and awareness programme —
combined with a holistic approach to cyber security, including the right policies, tools, and technology—will determine your placement on the spectrum.
Sourced by David Smith, CISO, Nuix
The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here