Security awareness campaigns could save your business


By Andrew Collins
Monday, 31 August, 2015


Security awareness campaigns could save your business

Developing a culture of security awareness is key to protecting your enterprise against data breaches and economic loss.

You can spend all the money in the world on security technologies, but it won’t make much of a difference if your staff don’t follow security protocols. The daily news provides a continual stream of examples of security or data breaches, and in many cases these breaches have occurred because staff don’t know what best security practices are, or simply aren’t following those practices.

In a research note titled ‘Security awareness campaigns — Engagement is the magic sauce’, IBRS analyst James Turner writes that the impact of hacking attacks against Sony and Target has prompted a renewed focus on cybersecurity at the board level across Australia and New Zealand.

“More enlightened boards recognise that their people are their best or worst line of defence, depending on how well trained and resourced these people are. Leading CISOs consider that the most significant threat to their organisation can be their own staff — not necessarily through malice, but in making mistakes and/or breaking process,” Turner wrote.

“As a matter of governance, executives should ensure that staff are adequately trained and resourced to exercise their responsibilities,” he continued.

So how do you educate your users on avoiding information security breaches — whether it be defending against social engineering/targeted hacks, avoiding accidental data leaks (leaving something on a public FTP or losing a USB key somewhere) or just steering clear of stray malware?

A security awareness campaign may be the answer. As Turner explained, “A security awareness campaign is an attempt to change organisational culture. An awareness campaign is intended to change the thoughts of an individual, and the change in attitude ideally results in changed behaviour. This changed behaviour is then supposed to permeate the organisation and become part of ‘the way we do things around here’.”

Training

Educating people about security — and, importantly, making sure that those ideas stick — is an involved process.

Ian Trump, Security Lead at ITSM vendor LogicNow, said there are “lots of really interesting ways to approach staff security awareness”.

“It’s easy to find something provocative to educate and entertain staff about security — such as a recent security news story that’s got everyone talking. There should be emphasis on the dangers from email attachments and clicking on sketchy web links, as more than 90% of attacks today are via the web and email. The best defence against ransomware is ensuring employees are security aware,” he said.

Adam Dodds, research director, IT services and cloud, IDC New Zealand and Australia, said that the key to security awareness education is to take a “programmatic approach”.

“One training session does not make a lot of difference to people’s behaviour,” he said.

Dodds suggests a training program that relates security awareness in the workplace to security awareness at home.

“To drive the best engagement with employees, any programs that are focused on raising individual or home security works best. I have seen 85-90% attendance for these sessions, as it is an area where people have low/no awareness. The argument being that unless you can protect yourself at home then it is hard to drive relevance in their working life.”

In such a program, you weave in the importance of the difference between home and work identity, Dodds said. “Then comes role play scenarios where by employees are able to see the impact of poor security and what happens next.

“Finally, engaging employees in setting business-level policy is important. Talking about where the risks lie and then subsequently developing processes for dealing with those scenarios in working groups creates a connection of understanding the risk in business terms (eg, IP risk, financial risk, health and safety risk, etc) and technology brings the IT department closer to the organisation,” he said.

Haiyan Song, senior vice president, security markets, at machine data search vendor Splunk, said that the best way to educate staff will differ by industry, company, roles and how people interact with IT.

“There are many different types of training vehicles today (eg, video, online courses, email blast, mandated/compliance programs) and even cybersecurity drills/war games, which can deliver this information to staff effectively. Regardless of which delivery mechanism you choose, key is having a ‘knowledge check’ section at the end of each module to validate their understanding.

“This will enable training to be aligned to different threat scenarios while ensuring the student is concentrating on the materials.  Successfully passing this routine training should also ideally form part of their KPIs,” Song said.

According to Turner, changing culture requires executive commitment.

“The psychological field of organisational behaviour holds that any change in corporate culture/behaviour needs to start at the top of the organisation, and be visibly and consistently demonstrated, if it has any hope of widespread adoption. This means the role of the security executive is to influence the organisation’s executives to come around to the point where they are accepting, and committed to, changes in their own behaviour.

“The attempt to change the culture will not last if there is a perception that there’s ‘one rule for them, and one for the rest of us’,” Turner said.

Motivation

But training staff is only part of the picture. If you successfully educate employees on what they should be doing, but they don’t have any motivation to follow policy, then educating them has been for naught.

As Turner explained, “Employee engagement is a critical aspect to an awareness campaign, because strongly disengaged employees can be looking for ways to thwart their employer.”

He suggests you collaborate with your human resources department, to understand the engagement level of staff with the organisation.

“If engagement is low, this will need to be addressed before a security awareness campaign will deliver changed behaviour,” Turner said.

As for how to provide motivation, the experts recommend a range of measures, including offering extrinsic rewards.

Trump says that rewarding positive behaviour is key, whether that be with “a coffee or some sort of monthly, or weekly, prize”.

“Security Star programs for identifying issues or doing the right thing should really help to get the message across. Security is great because everyone can participate, not just technical people. Find a cabinet with confidential information and lock it up — Security Star. Identify an email with confidential information in it that should not have been sent — Security Star.”

But while he recommends rewards for compliance, he warns against punishing failure. “Security is about learning and helping employees, and shouldn’t be about punishment. Punishment just builds resentment.”

Dodds also noted the use of extrinsic rewards for compliance. “Organisations are establishing rewards programs for employees querying situations that they encounter.”

These queries could cover, for example, concerns about potentially risky emails or USB sticks containing confidential company information.

“The rewards can be as simple as chocolate through to departmental recognition.”

Dodds also recommends asking employees to place a value on company data that could potentially be lost or leaked, in an effort to get them to understand the potential consequences of non-compliance with policy.

“If employees at all levels are compelled to create a value for information with regards to the project or initiative that they are undertaking, then this provides a frame of reference for the risk (and therefore the attention or investment required) associated.”

Dodds suggests asking your employees one of the following questions:

  • What would value of the data be if it were sold?
  • What would the impact be if it were lost — could the organisation operate?
  • What would the impact be if the competition had this information?
  • What does the employee estimate the value of the information to be?

Random social engineering email tests can be a very effective motivator, according to Song.

“This is where trusted staff members send out tailored emails to employees to tempt them to click on a link or download an attachment. If the employee falls victim, they are redirected to a webpage outlining what they did wrong and how to remediate it in the future.

“Overarching statistics of these efforts are then provided to the entire company on a quarterly basis to highlight policy violations and motivate future adherence to what is learned in training.”

Song also says that “constant vigilance” is very important for motivating staff to follow best practices. “Good awareness of the danger and threats help keep the vigilance high.

“At Splunk we share monthly Situation Reports (latest breach news, techniques involves, impacts). Annually, I bring lots of engineers from our team to DefCon to listen to the latest stories of hacking, social engineering, new exploits, etc. This helps keep the level of paranoia at a healthy level for us,” Song said.

Measuring success

Once you’ve educated employees on security best practices, and established some mechanisms to motivate them to follow these policies, it’s important to track the success of your security awareness campaign. Otherwise, you’ll have no real way of knowing whether the training has stuck.

One method of judging success is to keep an eye on employee behaviour and attitudes towards security. Kieran O’Shaughnessy, managing director Asia Pacific at mobile content platform vendor Accellion, said: “If employees are actively seeking out secure solutions and displaying care around security risks, it is a positive sign of policy enforcement and adoption.”

Along similar lines, Dodds says one soft metric for successful training that he’s seen used is the “number of employees that have raised a question or concern regarding something security orientated”.

He also notes that both quantitative and qualitative measures are important as part of an employee survey program. “As the HR program seeks to become more granular in their engagement with staff, the simple question of asking about whether they consider the business secure or the information within the business provides a framework to work with alongside a robust education program,” Dodds said.

He says that scenario or penetration testing is a “great mechanism for measuring success”.

“This allows for an independent reference of the organisation as a whole.”

The specific topics of your security awareness campaign can determine the method you choose for judging success. Song explained: “If the education campaign is around social engineering and phishing, where the goal is to lower the amount of clicks/downloads on malicious emails and decrease the risk of a threat actor gaining access to a network, regularly run phishing tests before and after the campaign. Success comes where the click-throughs or downloads decrease. If the number of people clicking through on these regular tests starts increasing, kick-start refresher programs.”

If your education campaign was about using complex passwords, “report back to the organisation or specific teams on the percentage of passwords that meets the standards”, Song said.

According to Trump, security audits are a great opportunity to see if processes and policies are being followed.

“You will find out if people are effectively helping each other to be secure. In many cases technical controls are only a small part of preventing unauthorised disclosure. Find an employee that works late and has flexi hours and make it their duty to put anything left on a printer in the shredder bin. Again, this is about saving the organisation, not putting someone under a bus for leaving documents on a printer. Security should be approached with a continuous improvement philosophy,” he said.

Keeping it running

Once you’ve educated your staff, and motivated them to follow the rules, how do you prevent them from becoming lax?

Accellion’s O’Shaughnessy says that to keep security at the top of employees’ minds, organisations must “[keep] staff aware of the latest security risks and offering guidance, including follow-on trainings on how to best avoid risky behaviour”.

IDC analyst Dodds emphasises that the best mechanism for education is to “train the trainer”.

“The staff that are educated should be encouraged to be the educators of tomorrow. Doing so changes the way in which the program is presented and becomes more personal and business orientated,” he said.

Song suggests that testing — on top of training — is an effective strategy.

“Continuous training and testing is the most effective way to avoid any lax behaviour creeping back in. Modifying the threat scenarios helps keep people on their toes and preventing any complacency.”

Image courtesy of American Advisors Group under CC

Related Articles

Nation-state actors have their sights on the cloud

Prioritising the protection of credentials and adopting robust security measures can better...

Combating financial crime with AI

Rapid digital transformation across Australia and New Zealand has provided cybercriminals with...

Learning from the LockBit takedown

An international taskforce has seized the darknet sites run by LockBit, but relying on law...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd