This post was originally published here by (ISC)² Management.
One of the toughest challenges of cybersecurity is to raise awareness among users. Technology solutions are instrumental in achieving a solid security posture, but they only get you so far. There’s always the risk a user will make a split-second bad decision and open the door to attack.
User awareness was the topic of a recent (ISC)² webcast, Delivering Security Awareness that Works. Participants shared their experiences in modifying user behavior and the challenges they face on a daily basis to save users from their own potentially harmful actions.
One theme quickly emerged: Cybersecurity teams must be on their toes. Users pose different levels of risk, so cyber pros have to figure out who’s most vulnerable based on various factors, such as behavior, job responsibilities, location and timing. Understanding risk propensity makes it possible to quantify risk and determine what resources are needed.
Sometimes, panelists agreed, risk originates in unlikely places. A common phenomenon involves IT workers who don’t think they are as vulnerable to cyber threats because of their work. They don’t take all the necessary precautions and end up contributing to the problem. The same occurs with high-level executives, who feel immune to threats because of their positions.
In such situations, users have to be shown the potential consequences of their actions so they understand they aren’t immune to cyber threats.
Suggestions on how to improve security awareness were plentiful during the webcast, both from panelists and audience members. The primary goal of awareness is to prevent cyber attacks, but it requires a lot of effort to modify user behaviors.
It isn’t enough to just force people to attend training sessions once a year. Raising awareness requires engaging users on an ongoing basis so they become conditioned to new behaviors. Among the ideas discussed were short instructional videos of no more than three minutes, phishing simulations, games and searchable libraries that make it easy for users to find the information they need.
There was a suggestion to get personal. Don’t underestimate the power of “me” in raising security awareness. Rather than overly focus on protecting the organization, demonstrate to users the consequences of a bad decision – to themselves, their own hard work and ultimately, the company. Bringing awareness at a personal level makes it easier to understand what’s at stake.
Panelists also suggested using humor and the “repetition is learning” approach. Keep reminding users of safe computing practices. For instance, every time users get a password reset request, include a reminder of what makes a strong password. In another example, one company handed out stickies printed with the message, “don’t write your password on this.”
Panelists and audience members also discussed rewarding users for good security practices. One company had the “Red Stapler Security Award,” given monthly to an employee outside the security team for security-related actions. The award included a Swingline red stapler and lunch with the CISO.
To hear the complete webcast and pick up some valuable pointers on raising security awareness, click here.