A security awareness program has to be an essential part of any organization’s cyber defence, above and beyond spending money on technology, according to experts in the field.
But with organizations seeing no decrease in breaches of security controls, CISOs wonder where their program is going wrong.
“They treat it like a part-time job,” answers Lance Spitzner, an energetic awareness training instructor at the SANS Institute for information security training, whose presentations at SecTor and RSA conferences are must-sees.
“You got a company that has 50 security professionals, 49 will be dedicated to securing technology and one person will be spending maybe 20 per cent of their time on awareness. And then the organization wonders why it doesn’t have an impact.”
Organizations with 500 or more employees should have one person devoted full-time to awareness, he said.
As part of the annual October Cyber Security Awareness Month activities, we interviewed Spitzner for tips on mistakes CISOs make in setting up awareness programs.
In addition to not devoting enough resources to training, it’s a mistake to put highly technical people in charge of the program. They understand the problem, Spitzner says, but they probably aren’t good communicators. “Security awareness is not about technology. It’s about people, its about communicating to, partnering with people in your workforce.
“Some of your best technology and security people are outstanding geeks and fantastic working with technology, but often they don’t like working with people or have no experience working with people,” he said.
“The best awareness officers tend to be people with communications, marketing, public relations, or sales backgrounds. You don’t have to be a technology or security expert to be a good awareness officer, because you can work with your security team on what you should be teaching people.
“But when you go out you need to be a good communicator to communicate what people should be doing and why.”
A third error is doing awareness training once a year — which results in what Spitzner calls “death by Powerpoint.” Annual training will meet compliance regulations, “but do absolutely nothing to change behaviour.” He recommends monthly training by a variety of vehicles (email, posters, newsletters, intranet, podcasts, etc.).
What about small firms? He admits they don’t have the ability to have a full-time awareness officer. On the other hand, Spitzner says small organizations have one advantage: Staff know who the security person is, and that person knows everyone in the firm. As a result, it can be easier to reach out and engage with staff.
He advises those doing security training at small firms to keep two things in mind to get the most out of their efforts. One is to remind staff what they learn at work also helps secure them in their personal life. They want to know “what’s in security for me.” The second is keep things simple. Focus on these four behaviours to lower most risks:
– Employees are are the firm’s best defence. If you see something suspicious/highly urgent, it may be a can/sign of attack.
-Make sure staff chose safe passwords.
-Patch systems as soon as can.
-Make sure the organization has safe backups.a
“If small businesses throughout Canada focus on those four things, 90 per cent what they need to worry about is taken care of.”
Metrics are also vital to a successful awareness program. The best programs have specific goals in mind, driven by an organization’s top human risks as derived from analysis of incidents. Then repeat measuring so you can see if the training is having an impact. Metrics also will show management the value in the program, Spitzner adds.
“You’re much better off focusing on a few key metrics,” he says. The value of metrics is over a period of time, he adds. (E.g. “The last phishing test we did had a 12 per cent click-through rate. Is that better or worse than previous tests?”).
Finally, leadership support for an awareness program – like any change program – is essential. “That’s not just budget, but staff, resources, adding credibility, helping build partnerships.”
“By focusing on some basics, how people will personally benefit and continually reminding them throughout the year, you’ll have an impact.”