There’s a C- on your report card, but you’re not alone: The 2017 Global Cybersecurity Assurance Report Card found that the world’s information security practitioners gave global cybersecurity readiness an overall score of 70 percent – a six-point drop over 2016. What’s causing this lack of confidence? IT security practitioners cited the overwhelming cyber threat environment, a lack of visibility into the network (impacted by BYOD or shadow IT), and low security awareness among employees as the top three challenges facing them today.
While the average CISO or CSO may not be able to drastically reduce the cyber threat environment facing the enterprise, he or she can make a big difference when it comes to educating employees and getting buy-in from the ground up.
According to Charles Gaughf, CIO for cybersecurity education non-profit (ISC)2, the key to improving cybersecurity awareness is to be persistent, pointed and connected to the audience. He suggests implementing phishing tests, demonstrating how easy it is for a bad actor to gain access to personal or company files over an unsecure WiFi connection like in a café, or participating in an information-gathering exercise against an employee to demonstrate how much personal information is publicly available and how it can be used to craft a phishing campaign.
“You have to apply cybersecurity education to how it affects them personally,” Gaughf says. “And this ties back to home and personal security as well as corporate security.”
It’s important, however, to ensure that any educational campaigns are about awareness and improvement, not about shame, he says. Phishing tests or penetration testing results shouldn’t be used to condemn one employee or another, but to improve communication about cybersecurity standards and protocols.
There’s also a generational issue around getting buy-in that requires specific attention. Gaughf says that for Millennials (employees in the 18-34 age range) their whole lives have been online, and much of their information is, too. Gaughf works to show them the value of privacy for certain information, and how easy it is to find information about them online to help curb the tendency to overshare. For seniors, another oft-targeted group, Gaughf recommends tailoring education around their concerns and going to them for input about where they need additional information, such as around threats and scams on online dating services.
The need for a proactive cybersecurity awareness campaign is growing, especially as workforces become more mobile and more third-parties hold influence within the enterprise. Passive awareness programs like posters or email campaigns alone are not always the most effective tactic anymore.
According to Stephen Fridakis, VP of Media and Tech Ops for cable TV company HBO, cybersecurity education should make employees and third-party partners understand their responsibilities. At HBO, training should cover the following three features:
Protocols and Permissions: “People want to be compliant,” Fridakis says. “This helps to clear up those questions.”
Risk and Consequences: “If any information is compromised, it hurts all of us. Every new show takes a little blood, sweat and tears from all of us,” he adds. Connecting cyber risk and certain behaviors to the threats and liability for new shows or creative products hits home for employees.
Personal Security: Fridakis hopes that employees take good cybersecurity hygiene home with them, and that it becomes an ingrained thought process.
To accomplish this, HBO is working with LearnBIG to develop and implement interactive cybersecurity education modules and videos for both employees and third-parties (including directors, producers, actors and other contractors).
“True to HBO style, we have multiple ‘episodes’ of learning modules, and the campaign will be released over a year, and will be accompanied by posters in English and Spanish and an eBook,” Fridakis says. “It’s not a certification-driven campaign; it’s not pass-fail. We want awareness and repeat views. We added quizzes and messaging to reinforce each topic.”
Some modules, such as password management or phishing threats, could be used straight out of the box, but others were customized for HBO’s specific risks and needs, such as a module on working outside the office (on location, working from home or from a satellite office), adding emphasis on mobile device use to the “protecting your device” module, and extending the privacy module to cover international regulations and risks.
According to Michelle Dennedy, VP and Chief Privacy Officer for Cisco, getting buy-in and understanding can easily start with encouraging employees and leadership to think of data as currency.
According to IBM Security and the Ponemon Institute’s 2016 Cost of Data Breach Study, the average cost per record breached is $158. Consider then, if the location and security of hundreds or thousands of $158 records are unknown, what the liability is to the enterprise, Dennedy says. Records need to be accounted for just as much as money, especially when a data breach or security flaw can impact the price sensitivity in an acquisition market or the value of your brand, not the mention the costs of recovery, she adds.
To really hit home with executives in other departments, Dennedy suggests that security leaders take a consultative approach: what are they looking to accomplish? By breaking down the objectives and obstacles, CISOs and CSOs can determine where they can best help with technology and with culture-changes (such as building awareness about password sharing risks or clean desk policies).
For less cyber-savvy organizations, Gaughf recommends that security leaders remain persistent and open to partnerships with other departments. Use breadcrumbs – bite-sized pieces of information, five-minute security briefings in monthly meetings, posters or short email alerts – to slowly but surely build up a reputation of education. Partner with branding and communications teams to help sell cybersecurity to employees (“It can’t be a boring pitch. You don’t want to look like the Internet police,” Gaughf says). All in all, find buy-in where you can, he adds, and leverage those partners to improve cybersecurity awareness and hygiene wherever possible.
So how do you measure the success of your awareness program? While security leaders can gain hard metrics into the number of people who have watched any given training module or tracking a downtick in phishing test failures, the best metrics can come in personal investment.
“Investment in sophisticated technology and monitoring can be ruined by people’s actions.”
“I know I have buy-in by seeing how often people come to me about suspicious emails, security questions or to request a contractor security assessment,” says Gaughf.
At HBO, Fridakis evaluates feedback and comments, but he too looks for changes in behavior: a reduction in successful social engineering attempts or an uptick in queries about suspicious emails.
“Investment in sophisticated technology and monitoring can be ruined by people’s actions,” says Fridakis. Therein is the long-term benefit of cybersecurity awareness training: It demystifies security and helps employees know their obligations and expectations so that they help maintain a strong perimeter around enterprise data instead of weakening it.