Updated March 8th – As Cybersecurity Awareness Month comes to a close, let’s face the elephant in the room: Employee awareness training is expensive and time-consuming.
In reply, meet Rajiv Gupta, associate head of the government’s Canadian Centre for Cyber Security.
“Prevention is definitely the key” to cyber defence, he maintains. “Getting your employees trained up front is far more cost-effective than the ramifications of a cyber compromise.”
Ransomware, to cite one example, “is incredibly costly and painful to live through.
“Many organizations realize that after they’ve suffered the incident.”
It’s not that there’s a lack of free resources for building an awareness program. Many software and hardware vendors offer them, the U.S. National Institute for Standards in Technology (NIST) has one and so does the Cyber Centre. For content, see the government’s Get Cyber Safe site.
You can ask the centre for advice, as well as find help online under the Top 10 IT Security Actions recommended for any organization. Action number six is providing tailored cybersecurity training for employees.
Note the word ‘tailored.’ Training has to be shaped to employees, Gutpta says: Many lessons will be the same across an organization (for example, how to create a safe password, how to turn on multifactor authentication, how to spot clues that an email is suspicious).
But training also has to take into account the different positions employees have (for example, IT support staff need to be trained on the appropriate way to allow an employee to reset a password, while managers need training on how to safely use their laptop or smartphone when traveling abroad).
Unfortunately, Gupta acknowledges, not every organization gets it.
“I would say that some have awareness programs. The quality of them varies greatly — from non-existent, to fledgling to mature.” Ones that are mature are likely to be in large organizations with well-funded programs. Some Canadian firms tie executive incentives to the performance of staff on awareness tests.
As for small organizations, they have to understand that “even a bit of awareness goes a long way to preventing threats.”
The first step to building a good awareness program is understanding the threat to an organization’s sector, Gupta said, and in some cases to the individual firm. To help, the Cyber Centre puts out National Threat Assessments.
“Unfortunately, it’s not until they are hit by cybercrime that many organizations really understand how bad it is,” he said. “So step one for the organization to go through the worst case scenarios and understand what would happen if they got hit by ransomware and understand what the threat is. That’s when they start to understand the value of the training and creating that culture of cybersecurity.”
Second, create cybersecurity policies and procedures that staff have to follow.
Third, decide on the kind of training program that will be right for your firm. It should have these elements:
— what staff have to learn based on the policies and procedures that have been set. For example, each organization should have a policy on password length and how often passwords need to be changed, whether corporate PCs can be used for personal online shopping etc.;
— what staff have to learn based on the errors they are making. It helps to have metrics, perhaps compiled by the IT staff (for example, how many employees have unsafe passwords, how often staff ask for password resets, how often staff click on malicious links);
— customized training for the different roles of employees. For example, IT staff need to be reminded of the rules for resetting passwords of staff, while managers may need to be trained how to use their PCs and smartphones abroad;
— regular spear phishing tests, either created by the IT staff or a third-party provider;
— tabletop exercises to show if staff are up to incident response.
— the style of training. It can include short lunch-time sessions, posters, an online portal, regular screen pop-ups and gamification that gives points or more tangible rewards for good performance.
Training can be led by in-house staff, outsourced, or a combination of the two.
One thing Gupta and all training experts stress is keeping performance metrics to measure whether the training messages are getting through.
Finally, continually review policies, procedures, exercises, incident response plan, and threat posture and change if needed.
RELATED CONTENT: Getting the most from gamification
The biggest mistake organizations make in their awareness programs is assuming cybersecurity is an IT issue, he said. “It’s an all-of-organization — we would say an all-of-society — challenge. You want to create a culture within the organization and reward that. Cybersecurity shouldn’t be a serious thing: You can gamify it, you can make it interesting. There are different ways of rewarding cybersecurity awareness. We think you have to turn it into a positive element that helps build a positive culture of cybersecurity.
“The other part is awareness comes from the top: Understanding the real risks to the organization, how bad a cyber compromise could be and investing appropriately in those programs that help prevent a compromise — because it is easier to prevent a compromise than to recover.”
