Improving employees’ cybersecurity awareness often hinges on communicating those initiatives into risks they understand.

Keeping Employees Cyber-Aware Keeps the Enterprise Cyber-Secure

Charles Gaughf, CIO for (ISC)2, uses his background in communications to connect cybersecurity risk with employees’ personal concerns. He uses demonstrations of how easily hackers can find personal data online to gain employees’ buy-in and show them clues of how to spot a potential vulnerability or phishing attempt. *Photo courtesy of Charles Gaughf*

March 1, 2017

2 Comments

There’s a C- on your report card, but you’re not alone: The 2017 Global Cybersecurity Assurance Report Card found that the world’s information security practitioners gave global cybersecurity readiness an overall score of 70 percent – a six-point drop over 2016. What’s causing this lack of confidence? IT security practitioners cited the overwhelming cyber threat environment, a lack of visibility into the network (impacted by BYOD or shadow IT), and low security awareness among employees as the top three challenges facing them today.

While the average CISO or CSO may not be able to drastically reduce the cyber threat environment facing the enterprise, he or she can make a big difference when it comes to educating employees and getting buy-in from the ground up.

According to Charles Gaughf, CIO for cybersecurity education non-profit (ISC)2, the key to improving cybersecurity awareness is to be persistent, pointed and connected to the audience. He suggests implementing phishing tests, demonstrating how easy it is for a bad actor to gain access to personal or company files over an unsecure WiFi connection like in a café, or participating in an information-gathering exercise against an employee to demonstrate how much personal information is publicly available and how it can be used to craft a phishing campaign.

“You have to apply cybersecurity education to how it affects them personally,” Gaughf says. “And this ties back to home and personal security as well as corporate security.”

It’s important, however, to ensure that any educational campaigns are about awareness and improvement, not about shame, he says. Phishing tests or penetration testing results shouldn’t be used to condemn one employee or another, but to improve communication about cybersecurity standards and protocols.

There’s also a generational issue around getting buy-in that requires specific attention. Gaughf says that for Millennials (employees in the 18-34 age range) their whole lives have been online, and much of their information is, too. Gaughf works to show them the value of privacy for certain information, and how easy it is to find information about them online to help curb the tendency to overshare. For seniors, another oft-targeted group, Gaughf recommends tailoring education around their concerns and going to them for input about where they need additional information, such as around threats and scams on online dating services.

The need for a proactive cybersecurity awareness campaign is growing, especially as workforces become more mobile and more third-parties hold influence within the enterprise. Passive awareness programs like posters or email campaigns alone are not always the most effective tactic anymore.

According to Stephen Fridakis, VP of Media and Tech Ops for cable TV company HBO, cybersecurity education should make employees and third-party partners understand their responsibilities. At HBO, training should cover the following three features:

Protocols and Permissions: “People want to be compliant,” Fridakis says. “This helps to clear up those questions.”
Risk and Consequences: “If any information is compromised, it hurts all of us. Every new show takes a little blood, sweat and tears from all of us,” he adds. Connecting cyber risk and certain behaviors to the threats and liability for new shows or creative products hits home for employees.
Personal Security: Fridakis hopes that employees take good cybersecurity hygiene home with them, and that it becomes an ingrained thought process.

To accomplish this, HBO is working with LearnBIG to develop and implement interactive cybersecurity education modules and videos for both employees and third-parties (including directors, producers, actors and other contractors).

“True to HBO style, we have multiple ‘episodes’ of learning modules, and the campaign will be released over a year, and will be accompanied by posters in English and Spanish and an eBook,” Fridakis says. “It’s not a certification-driven campaign; it’s not pass-fail. We want awareness and repeat views. We added quizzes and messaging to reinforce each topic.”

Some modules, such as password management or phishing threats, could be used straight out of the box, but others were customized for HBO’s specific risks and needs, such as a module on working outside the office (on location, working from home or from a satellite office), adding emphasis on mobile device use to the “protecting your device” module, and extending the privacy module to cover international regulations and risks.

According to Michelle Dennedy, VP and Chief Privacy Officer for Cisco, getting buy-in and understanding can easily start with encouraging employees and leadership to think of data as currency.

According to IBM Security and the Ponemon Institute’s 2016 Cost of Data Breach Study, the average cost per record breached is $158. Consider then, if the location and security of hundreds or thousands of $158 records are unknown, what the liability is to the enterprise, Dennedy says. Records need to be accounted for just as much as money, especially when a data breach or security flaw can impact the price sensitivity in an acquisition market or the value of your brand, not the mention the costs of recovery, she adds.

To really hit home with executives in other departments, Dennedy suggests that security leaders take a consultative approach: what are they looking to accomplish? By breaking down the objectives and obstacles, CISOs and CSOs can determine where they can best help with technology and with culture-changes (such as building awareness about password sharing risks or clean desk policies).

For less cyber-savvy organizations, Gaughf recommends that security leaders remain persistent and open to partnerships with other departments. Use breadcrumbs – bite-sized pieces of information, five-minute security briefings in monthly meetings, posters or short email alerts – to slowly but surely build up a reputation of education. Partner with branding and communications teams to help sell cybersecurity to employees (“It can’t be a boring pitch. You don’t want to look like the Internet police,” Gaughf says). All in all, find buy-in where you can, he adds, and leverage those partners to improve cybersecurity awareness and hygiene wherever possible.

So how do you measure the success of your awareness program? While security leaders can gain hard metrics into the number of people who have watched any given training module or tracking a downtick in phishing test failures, the best metrics can come in personal investment.

“Investment in sophisticated technology and monitoring can be ruined by people’s actions.”

“I know I have buy-in by seeing how often people come to me about suspicious emails, security questions or to request a contractor security assessment,” says Gaughf.

At HBO, Fridakis evaluates feedback and comments, but he too looks for changes in behavior: a reduction in successful social engineering attempts or an uptick in queries about suspicious emails.

“Investment in sophisticated technology and monitoring can be ruined by people’s actions,” says Fridakis. Therein is the long-term benefit of cybersecurity awareness training: It demystifies security and helps employees know their obligations and expectations so that they help maintain a strong perimeter around enterprise data instead of weakening it.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 October

This month in Security magazine, we explore how Corning's global security group ensured business continuity and employee safety during the global COVID-19 pandemic. Also, we highlight the global security team at Uber and their recent security programs and initiatives. Industry experts discuss travel safety programs, career hackers, working for terrible bosses, group attribution error and more.

View More Create Account

Keeping Employees Cyber-Aware Keeps the Enterprise Cyber-Secure

Improving employees’ cybersecurity awareness often hinges on communicating those initiatives into risks they understand.

Related Articles

Report Abusive Comment