Oops! That’s the word infosec pros don’t want to hear from an organization’s staff. But after years of warnings, pleas, posters, online training, video training and email reminders, they’re hearing it more often than ever.
Employees are still clicking where they shouldn’t, using unsafe passwords, re-using passwords or uploading sensitive data to cloud storage sites.
And if that isn’t enough sometimes IT staff who should know better wrongly configure something.
So with today marking the start of the annual Cyber Awareness Month, it’s more important than ever that information security professionals look hard at what’s not working in their organizations: Are they doing too much awareness training, too little or going about it the wrong way.
For one industry analyst, the evidence is clear: “Canadians are not training their employees nearly to the extent they should be,” says David Senf, founder Cyverity, a cyber security research and consulting firm, and former IDC Canada analyst.
Experts say to be effective messages about cyber security awareness have to be delivered in some way at least once a quarter. But if a survey of 200 companies this year conducted by Cyverity is representative, nearly seven out of 10 (68 per cent) Canadian organizations only train one-quarter of their employees about cyber security tools and best practices on an annual basis. Only one out of 10 (11 per cent ) organizations train the majority of their staff annually.
In a survey released earlier this year by solutions provider Scalar Decisions, Only 26 per cent of the 421 IT security and risk and compliance professionals questioned said their organization has formal training showing staff how to identify attacks such as phishing.
Experts also say messaging has to be varied to avoid employees getting bored. So mix up staff meetings on awareness with quick videos on the company intranet, posters, keychains and prizes for passing tests.
But, Senf adds, “it’s not just about ‘Go take some training’, or ‘Use the password management tool,’ but being able to work with them to improve competence. And think about their commitment level to security.
“Even when training is given, it needs to be tracked and followed over time to understand where they [staff] are at.” The tracking doesn’t have to be in spreadsheets, he adds, but managers should have at least a rough idea of their employees’ knowledge – including whether they understand what sensitive data is.
Four types of employees
He figures there are four types of employees: Enthusiasts, Egoists (high competency to help an organization and be more secure and will use the right tools), Denialists and Defeatists. Enthusiasts want to do the right thing. If they receive the right training and the organization has useful security tools then they are unlikely to become Defeatists. Senf said. Denialists have had training but their commitment is low or has dropped off because the security-related processes are too hard.
For staff who have the security competency but not the commitment, he said, it’s the responsibility of senior management to push: ‘We need you do to this, and here’s why.’
The burden shouldn’t be on the security team’s shoulders, he adds. “Today if you ask an audience who are the security pros, everyone should be raising their hands – it should be developers, end users, in addition to the traditional security pro. It’s getting everyone on board with that.”
“When you think about what differentiates an organization that suffers fewer breaches from others … one of the key variables is leadership. What leadership does is establish a culture, which creates that commitment level [to security], that desire to be more competent.”
Senf also said infosec pros also have to make sure they don’t contribute to security problems by choosing products with poor usability.
Make it fun
He offers one more tip: Make awareness training fun. That’s what a Canadian insurance company he won’t name has done. “It was all about culture and trying to get people excited” about cyber security. Gimmicks include the awareness team periodically walking around the office with funny hats or goofy clothes and giving advice: Here’s how to use this software, here’s some password advice.
“By doing that they’re embedding themselves with the average employee, getting out their cubes and being a force, a presence with their fellow employees.”
Often, employees are literally distant from the security or support team, Senf said – “on the other side of the wire,” is his term – and they seem less aware of the frustration level of the average employee.
Making awareness fun in this case wasn’t about technology, he concluded, but about people.
Finally, experts agree there are many things CISOs can do to reduce the consequences of employees making mistakes. First among them is identity and access control, including the use of two-factor authentication. Second is applying software security patches as soon as possible.
(Throughout the month IT World Canada will feature articles on how to raise security awareness.)