Advice for creating a cybersecurity awareness program.
Welcome to Cyber Security Today. It’s Monday, October 2nd, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
October is Cyber Security Awareness Month for … well, for everyone: Youngsters, consumers, employees and management.
But on this episode I want to focus on IT and corporate management. IT because it often delivers security awareness material, and senior management because it’s their job to make sure the entire organization sees the value of training.
Of course the CEO, the president and the vice-presidents are aware of the importance of cybersecurity. That’s not the point. The point is for any organization to successfully fight cyber attacks and data privacy violations there has to be a formal cybersecurity awareness program pointing out company policies for all staff. And support for it has to come from senior management. At the very least that means senior management has to show up regularly at awareness training sessions. And management has to show that it follows the same practices employees have to obey.
Here’s another way: If the CEO is seen by employees as a highly respected leader of the company who has a regular blog or newsletter, a good way to spread cybersecurity messages is to include them there.
What makes a successful awareness program? To answer that I’ve turned to a book called You Can Stop Stupid by Ira Winkler and Tracy Brown.
They start with what an awareness program shouldn’t be: A checkbox to meet compliance regulations. That is, checking ‘Yes, we held one cybersecurity awareness training session every month in the past year.’
What should a program do? Tell users how to do their job correctly, say the authors, not describe ways they can do it wrong. So, training should not only be about how to recognize a phishing message, but what to do about it.
An awareness program’s goal is to change employee behaviour: For example, to stop clicking on attachments, or downloading unapproved apps or having bad passwords — whatever is important in your organization.
And the best way to make sure behaviour is changing is to have metrics. Metrics on what current staff behaviour is, and then metrics on whether training is changing that behaviour.
By the way, a good thing about metrics is they can help show management the return on investment of training.
Remember, what’s needed are useful metrics. Attendance metrics may show who isn’t going to meetings, but not much more. Satisfaction metrics, like ranking employee satisfaction with a training session, may have limited usefulness. Knowledge metrics, like having staff take a short quiz after a training session, may show if a message is getting across but won’t show if it’s sticking. That’s why measuring behavior changes is vital. For example, are staff reporting receiving more suspicious email messages? Are they downloading fewer unapproved apps?
Metrics will also show what parts of the program are most effective: Computer training, phishing tests, lunch and learns, newsletters, social media blasts, posters etc.
One employee aid, the authors note, is setting up an internal online security library with documents and videos that staff can turn to for advice — things like how to keep a computer secure, how to change a privacy feature, how many times their password needs to be changed, how to see if a URL is legitimate. But the library has to be kept up to date.
One other other thing: It may be smart to tailor awareness program for certain departments or different geographies the organization operates in. Awareness
The authors of You Can Stop Stupid say it’s very likely you won’t get your awareness program right the first time. That’s one reason why training should be done every three months — so you can measure what’s working. Don’t be surprised to find you need to adapt your program to bring in new concepts, ideas and business drivers.
How can you create an awareness program? The U.S. National Institute of Standards and Technology, otherwise known as NIST, has had a 70-page guide since 2003. It’s being updated and renamed as Building a Cybersecurity and Privacy Learning Program. There’s also a 20-page guide called Building a Cybersecurity Awareness Program from the Carnegie Mellon Software Engineering Institute.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.
If your organization is holding special programs for Cybersecurity Awareness Month, here’s material from the Canadian Centre for Cyber Security and from the U.S. Cybersecurity and Infrastructure Security Agency.