When you hear the words “information security” or “cybersecurity”, firewalls, antivirus programs, and multi-factor authentication may likely come to mind. But what you might not immediately think about is the one major vulnerability that every security system has: people!
Obviously, people make mistakes. They can be manipulated or duped. And some don’t always have the best of intentions (think, disgruntled former employees ... or, perhaps more dangerous, disgruntled current employees!). Unfortunately, though, you can’t “patch” people the same way that we (should) with our technology/systems.
So, what’s to be done? A significant protective factor for organizations to implement a sound security awareness program. But what is security awareness, exactly?
It is formal and informal education and information about technology risks and how they might be exploited. It is formal, in that people are often required to take specific training sessions. It is also informal, because in addition to these mandatory training sessions, there should be continuous emphasis on security at senior staff meetings, through the employee review process, and via frequent reminders about the daily responsibilities that come with information security and cybersecurity vigilance.
Further, a well-designed security awareness program is a great way to inform personnel on any kind of malicious activity targeting an enterprise’s use of cyberspace. It is crucial that an organizations’ staff be wary of common fraud schemes, especially those targeting them rather than the technical components of the infrastructure. Preparing staff to discover phishing, or other types of cyber scams, means providing a comprehensive program of training, policies, and procedural instructions that could help recognize signs of misuse, report suspicious activity, and not fall prey of scam artists.
Much goes into designing, developing, and managing a sound security awareness program, however the 8 fundamental tips presented on the following pages are intended to help guide your thought process and implementation.
Tip #1 – Establish Security Policies
Strong security starts with policies – the rules that govern what’s safe and what isn’t. And a good security awareness program will leverage and build upon those policies. They should address all the security concerns and practices of your business, including how to encrypt emails, laptops, and mobile devices; authenticate a client; and shred documents. You’ll want to post policies where your staff has easy access. Plus, be sure to give your policies a quarterly or annual review to ensure that they remain relevant.
The devil is in the details, and information security is no different. Simple best practices can make a big difference in keeping your business and information safe. Consider including the following in your program:
- Require employees to change their passwords every 90 days.
- Set up a virtual private network for employees to access when working from home.
- Ensure that all business laptops, desktops, and servers have up-to-date anti-malware and spyware.
- Enforce a detailed smartphone policy that requires full-device encryption and passcodes and does not allow employees to store any business-related information on their phones.
- Apply software updates in a timely manner.
- Employ a system that automatically encrypts all outgoing emails and limit personal messages to employees’ private email accounts only.
- Keep a backup of all information on company devices.
- Have a process in place for employee termination that includes changing all passwords the employee may know and collecting all company property in his or her possession.
Keep in mind that the training you provide should enforce the policies and best practices you’ve adopted. This will give your staff a reason for why certain practices are followed and give your security awareness program direction.
Tip #2 – Train and Train Again
To be effective, a training plan should address both onboarding training and continual reinforcement. That way, new hires will understand your firm’s security practices from the get-go, and seasoned employees will have the benefit of regular reinforcement of secure habits. Here are a few steps you might take to get started:
- Write down your goals and how you plan to achieve them.
- Create a calendar of when different phases of your training will take place.
- Share this information with your staff. This will demonstrate your commitment to starting and maintaining your security awareness program, and everyone will be on the same page!
Tip #3 – Fight the Phone Scams
It could be a client asking for an “urgent” wire transfer. It could be someone from Microsoft informing you that you need to “upgrade” your system. These seemingly legitimate requests tend to catch many people off guard.
Scam artists like these (aka social engineers) prey on human weakness. If your organization isn’t prepared for fraudulent phone scams, anyone who answers the phone could be the weak link that opens up your business to a breach.
To help defend against phone scams, integrate social engineering prevention into your phone training, or lead a role-playing training session where one person is the con artist and the other is on the receiving end of the call. Plenty of scripts can be found online.
In another sense, pay attention to what you’re downloading to your phone. Mobile malware is on the rise, and 99.9 percent of it is hosted on third-party app stores. It might be wise to have a smartphone strictly for business use or to have a policy in place preventing employees from storing any client information on their phones.
Tip #4 – Don’t Let Staff Take the Phishing Bait
You are probably aware that most cyber-attacks start with phishing (i.e., scam emails)? Although there have been advances in spam filters and antivirus software, the most effective means of teaching your staff is to show them real-life examples.
Check your junk folder and share screenshots with staff (on Windows, hit the Print Screen button). Just be sure not to forward the actual email, as that increases the chances of someone clicking on a bad link! You could also turn a slideshow presentation into a game. Ask your staff to spot x number of warning signs – or which emails are real or fake. Small rewards can incentivize your staff, too!
Tip #5 – Supplement with Software
In recent years, various security education software programs have been developed that provide security training content (e.g., interactive games, presentations, and videos). Some programs also include simulated phishing tools, which allow you to generate fake phishing emails, send them to your staff, and then generate reports on who clicked and who didn’t. This data can help you get a baseline of your firm’s security awareness, and you can use it again later to evaluate if your training is effective.
Remember: Software cannot replace your plan. It helps provide content, but it’s up to you to make that content fit into your plan.
Tip #6 – Stay Informed
These days, it’s not hard to find information security news. An RSS feed is a great tool for aggregating various security news sources. When you see something that relates to your practice ... whether it’s about software your firm uses or the smartphone a staff member has ... share it (although, be sure that staff recognize your sharing, and don’t suspect that it is spam or a phishing attempt). You could also compile any major headlines into a monthly or quarterly newsletter. It may start a conversation or alert staff to something they didn’t know. Either way, it will help keep security top of mind without interrupting their workday.
Tip #7 – Be Creative, Not Scary
A technical treatise on encryption isn’t going to make an impact, but a funny, one-sentence poster by the coffee machine might. Keep these pointers in mind:
- Think about ways to make training interactive and engaging.
- Think outside the box.
- Try what hasn’t been tried before—because that’s exactly the kind of thing people are going to remember.
It’s important to know that you’ll likely come across “shock value” material when researching content for your program. Remember, security awareness is not about paranoia. It’s about adopting secure habits so that dealing with these threats becomes second nature. Your tone can make or break your message. Keep it light, informational, and fun.
Tip #8 – Less Is More
The last thing you want to do is create “noise” that your staff hears but doesn’t listen to. For example, if you follow Tip #6, don’t share an article every day. Shoot for weekly or monthly ... and share only topics that would concern your staff personally.
In a nutshell, the most effective security solution is training. You want your staff to recognize attacks and make the right decisions, but you don’t want to give them so much information that you overwhelm them. Applying the recommendations, insights, and tips discussed previously, you’ll be on your way to creating and maintaining a steady and effective security awareness program.
Additionally, a security awareness training program is an essential part of the organization’s risk reduction effort. This will require clear connections between cybersecurity training and the business goals that it supports. It’s vital to remember that security in the workplace is everyone’s responsibility! Training programs should stress how individual employees can influence the overall security environment at an organization. Through these security awareness trainings, company leaders can help foster a workplace culture that is security literate and helps ensure organization-wide security.
Remember, habits drive security culture, and there are no technologies that will ever make up for poor security culture. Awareness programs, when properly executed, provide knowledge that instills good behavior. While most security professionals believe that good security behavior is a matter of common sense, the reality is that common sense is based upon common knowledge that needs to be made even more common.
AUTHOR: Wade Richmond is the founder and CEO of CISO ToGo, a cybersecurity firm specializing in the needs of small and medium sized business. Wade has 33 years of experience in IT, including Chief Information Security Officer roles for such large enterprises as BJ’s Wholesale Clubs, Ahold USA, Sensata Technologies, GTECH Corporation, Citizens Financial Group and CVS Pharmacies. In these positions, he has been responsible for providing leadership and direction to all cybersecurity and IT risk efforts associated with information technology applications, communications and computing services. To find out more information, please visit www.CISO-ToGo.com.