Security awareness isn’t just education, communications and training. It is cultural change and a movement that requires buy in from the top down and the bottom up. It needs to be a credible program that people want to be a part of and learn from. It should be relatable, from a business perspective, but also from a personal perspective. It requires managing people, groups and projects and creating a plan to disseminate pertinent information to employees who all need to understand that they are stakeholders when it comes to the security of the company and its people. It involves equipping your employees with the knowledge they need to spot the threats and take appropriate action that aligns with your company policies. And if it isn’t already, it should be a crucial component of any mature security program.
All too often, employees are told they are the weakest link, but they can also be a huge asset to any security team if they are given the right tools and trained properly. The old cookie cutter approach to pushing one annual required training to employees, with a phishing test scattered here and there, just doesn’t cut it anymore. In order for your employees to play an integral role in securing the company they need to be given the right tools that are up-to-date and continuous, and they must feel enabled to make a positive impact. The best way to set the precedent for this is to give employees an understanding of the security program from day one by having security representation in the new hire orientation. This time can be utilized to cover security policies and common threat vectors that are seen at your organization as well as to discuss the role employees will play in securing the company.
Associates should be made to feel like they are truly part of the program with open dialogue and discussion through various means. This can include both push and pull training such as articles, newsletters, screensavers, competitions, phishing tests, tabletops, emails and presentations throughout the year. Effective communication is ongoing and can be done through discussion boards with direct contact to the security subject matter experts. Make some, if not all, of the security team readily available to address employee questions and concerns through a mailbox that employees can directly communicate through. This will also give the security team good insight into the current threat landscape of the company as employees report suspicious activity and ask questions.
Test your employees with real-world threat scenarios. Employees are going to be receiving real phishing threats in their email box so why not test how they would respond in the event of a real malicious message in a controlled environment through real hands-on experience? This in turn will keep employees on high alert once they realize that what they clicked was a test and could have had detrimental effects if it were real. And from a security awareness program perspective you will gain measurable metrics that can be communicated to the security team, the company and even the board. You can even take it a step further and perform other social engineering tests in both logical and physical form.
Don’t just base your program around policies and requirements. Survey your audience and find out what their security concerns are, both at work and at home, and what they want to see and hear from the security team. A survey can also be utilized to gain metrics on the current security posture of the organization and progression year over year when the survey is conducted. When employees see their areas of concern being addressed, you will capture their attention and can capitalize on their attentiveness.
Ensure that you consider your audience when creating security training content and tailor it appropriately. Some groups will have some background knowledge, while others won’t, and each training and communication should reflect that. Don’t assume all your employees aren’t technical because if you take that approach you will lose the attention of those who are. And, give your employees the ability to do something when they notice something suspicious by offering numerous reporting mechanisms and giving them the background knowledge necessary to make that determination.
Creating a culture of security aware employees is a large task and can take a lot of time and resources. If at least one full-time employee cannot be dedicated to this, then a committee of security liaisons could be established to be the ambassadors for security through different sectors of the business. This helps create an even larger security network within the company with active participants endorsing security on your behalf. Even with one or two dedicated full-time employees, it is truly a company effort with all hands on deck, with the security team playing a crucial leading role as specialized subject matter experts in their areas to help implement an impactful and lasting cultural transformation. There are only so many people that are employed as part of the security team, but it can be in the company’s best interest to turn every employee into a skilled security participant that can be leveraged to have more eyes and ears on the threats.
While security tools have always been considered a necessary part of a security program, it is also imperative that security awareness now be considered a requirement as well. Implementing cultural change can be done by ensuring employees have enhanced protection and security through increased security awareness amongst employees. Every employee should be prepared to play a role in securing themselves, their company and its assets from both a logical and physical security perspective. Security awareness is a crucial aspect and enabling all employees and organizations in your company to work together will help to guarantee a sustainably successful security posture for your company.