Making sure your employees are following best computer security practices and company policies is a daunting task.
As Cyber Security Awareness Month draws to a close we talked to a number experts about what they’ve learned. Here are their tips:
Terry Cutler, vice-president of cyber at Montreal-based Sirco Group, a corporate computer and physical security investigation service. He’s also the creator of the Internet Safety University, a subscription video service for businesses and individuals.
“The first thing to emphasize [to a CISO] is no matter how much technology you throw into an environment it takes human error for viruses to get through.” That’s why educating staff is so important. “If people understand and appreciate the dangers and the risk associated with mismanaging information, then the exposure becomes measurably reduced. So it’s important they be familiar with some of these dangers so they take it more seriously.”
Organizations make four big mistakes, he says:
— Not mandating staff to take awareness training. Too many organizations are ”putting [training] videos out and hoping users will watch them.”
– Leaving content to be written by inexperienced people. “I was involved not so long ago with a firm looking to re-do their whole cyber security program because there was very little involvement from their 6,000 users. One of the problems was the person who created the training didn’t have authority – it was like a guy reading a bunch of articles and putting together a video.”
“It has to be edu-taining,” he said, meaning an online awareness course can’t be narrated with an artificial voice but by someone who has personality, and can inject sometimes some humour.
— Not quizzing staff to find out if they are really learning.
– Telling staff to create long passwords, but not telling them simple ways to do it (Hint: With passphrases).
Unfortunately, he said, too many organizations (and employees) still think, ‘Who wants to attack us?’
Brett Hansen, vice-president of client software and general manager of data security at Dell Inc.
“Bring accountability to down to the teams,” he advises. CISOs have to give managers information they can take to team members on this is why cyber security is important to you. And the message has to be tailored to teams (for example, how a mistake by the finance team has ramifications in other departments).
“It’s so much more pertinent, empowering when the conversation is not ‘Cyber security is good,’ but how it relates to your specific role,” he said.
Dell has a number of awareness strategies, including a “fairly rigorous” annual online education course that employees have to pass, covering physical as well as cyber security best practices. It ends with about 20 questions that test comprehension. The material is regularly updated.
The company also distributes regular online newsletters on good cyber security practices
And while tempting, “scary FUD (fear, uncertainty and doubt) is not the best way to get to people,” he adds. Talking to staff “in terms that are relevant to them, that are based upon their job function, is a far better way to embed these elements into their daily life.”
Training “needs to be ongoing, to be developed and executed with the business leaders … make them partners in this effort.”
Bill Shinn, principle security solutions architect for Amazon’s AWS service.
The tone of an awareness program has to be security is everyone’s job, he said, and the message has to be re-enforced from executives.
Whatever their products most firms are data companies and want to be able to unlock the value of that information, he said. That’s why AWS impresses upon every employee that because they work with data every day they have to think about how to safeguard it.
AWS has a variety of approaches, ranging from passing an annual test (made in a way that it’s not possible to click through the presentation in one minute) to recognizing staff with badges for helping improve security either internally or with a customer.
Even posters in hallways and elevators with what he calls important information on who to call for help for security-related issues are used.
“If you’re building a cyber security awareness program you have to make it positive,” he said.
Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance
The two most important things to focus on in an awareness program are how to handle email and password management, he said. Surveys say up to 80 per cent of breaches involve credentials theft. “Those two areas … are where an employee can become the doorway to an attacker if they aren’t aware.”
There are a lot of free and paid phishing simulation tools infosec pros can use to see how users respond an attack. The results can be used as teachable incidents as well as to track employee progress over time.
For password management, employees have to be made to understand the importance of creating unique passwords for every service, he said. But they also need rules for creating strong passwords. Ideally, the organization uses an enterprise password manager to help them. As an additional step, users have to learn about enabling two-factor authentication.
Management should strive to create a culture where there’s a constant conversation about security, he said, although not to the point of boring staff. But it should be made a positive element of what they do every day.
As others emphasized, education should regularly include examples of what has happened to their company and how it was handled. Avoid dry, boring, once a month, ‘You’ve got to watch this video’ orders.
If training is “relevant, pertinent, concise … then employees will listen.”
Chester Wisniewski, a Vancouver-based principal research scientist at Sophos
Employees shouldn’t feel they’ll be in trouble if they report a mistake they’ve made, he says. Otherwise, employees will be “sweeping it under the carpet.”
In addition, encourage employees to report suspicious activity. That helps raise their security awareness.
And while IT may be afraid of being inundated with alerts, a decision on the seriousness of the vast majority can be made quickly.
“All of us are going to be tired and make a mistake once in a while,” he said, so it’s vital an organization respond quickly to a breach of security safeguards. The best ways to do that is by creating a response playbook and to practice disaster response.
During regular world-wide conference calls with staff, recent security incidents are discussed. “We find employees are much more receptive to learning when they feel its not a theoretical thing,” he said, “and when they hear it happened to someone in their office, someone they know, it’s more impactful.”
“Most organizations are doing traditional computer-based learning that in my opinion doesn’t have much positive impact. Fifteen minutes at a company meeting about incidents that happened to you are far more effective than an hour with PowerPoints where you have to click and say, ‘I agree,’ so HR can say you’ve had the training.”
”Don’t expect cyber security [training] to spread equally thin throughout the entire company, because you’re not going to have the budget to do everything you want. Focus on [departments] where the risk is.”
Greg Young, Ottawa-based vice-president of security at Trend Micro.
“Creativity” is the word he uses to describe what’s needed in any awareness program. “Anything you can do to shake it up” is valuable, including communicating the message that security is part of the work of employees in as many ways as possible: Email, posters, a Slack feed, newsletters and general staff meetings.
Even long-time employees need refresher courses, he adds.
Managers also have to be aware of emerging but unsafe technology that staff might want to sign up for, and offer a secure alternative (for example, instead of using company X’s cloud storage, use this one).
Rewarding staff for doing good security-related work – including a reward for developers who write code with no vulnerabilities – is a strategy he applauds. Another is giving them security tools for their home computers (like free antivirus) to help staff understand security awareness takes place everywhere.
Finally, remember that while October is cyber security awareness month, don’t take the rest of the year off.