Building a Culture of Cyber Security Awareness

What good is all the effort you put into bolstering your company’s IT Security posture if your end users continually pipe a new stream of ever-evolving threats directly into your environment?

Sure, the robustness of your security controls gets a steady work-out, but we assert that adding a little awareness of security can go a long way. Even a nominal awareness program holds the potential to reduce the scope and severity of risks to your environment; so you can focus your time, money and effort to bolstering your security posture instead of the hand-to-mouth servicing of one-off security threats.
You likely you have read The Art of Deception by Kevin D. Mitnick (and William L. Simon) (if not, you should) and know that all the work that goes into building a robust security posture doesn’t mean squat if your end users are clicking on every attachment and bad link they come across.

In Mitnick’s words, “…the human factor is truly security’s weakest link.” Try as we might, we can’t solve every problem with a blinky light.

So you might be thinking, “how do I create (or improve) a culture of security at my company?” Many of the clients we serve at rSolutions are larger enterprises and have both external and internal communications departments, so we preface this advice under the assumption you’ll be working with a communications team, but we also provide this advice so it is large enough in scope so any sized company can derive some benefit.

Frame the Issue

Communications teams are likely largely unaware of all the efforts that go into making a company’s security posture as tight as possible. An overview of the number of threats handled over a defined set of time will help show what you’re dealing with and how more awareness can help. Provide the history and evolution of the problem you are trying to solve as well as some examples of what could happen, and has happened to other companies, that have fallen victim to the threats you outline (consequences). Do not include any FUD facts. Stick to the true facts. This will help build context for the problem with a non-technical audience that can help you reduce your time in incidence response. Consider bringing the CTO or CISO around as a champion so you have the support from the top to the bottom.

Define the Audience(s)

Well, everybody needs to know about security, you say. That is very true, but we suggest you approach it like you would eat an elephant; one bite at a time. The likelihood of success increases if you start on a smaller test group, ironing out what works and what doesn’t, before spending the time, money and resources on a corporate wide awareness program. Consider a test group of your greatest offenders. You likely have the data to present the case. Have you talked to them about why they keep falling into the same traps? Do you have data that supports which user groups are the greatest offenders or at the very least an anecdotal indication of who the greatest offenders are? Package this information to build profiles of these audiences so you approach the communications team with a target audience. An audience you can measure against your actions.

If you had three wishes from these audiences, what would they be?

I wish they’d just:

1. follow the strong password policy (and keep it a secret).
2. quit clicking on spoofed links.
3. quit opening bad attachments.

Yours might be the same, or maybe they are different. Whatever they are, be sure to target your lowest hanging fruit. The idea is that if we want to make a more cultural workplace change, we need to start somewhere basic, then as you move forward on a continuum you can address more detailed subject matter over time. Try to keep in mind that cultural change is a big wheel that turns slowly, so start with your highest payoff activities balanced against the concepts that are easiest to grasp for non-technical people outside the IT silo. Consider focusing on what messages will bear the most fruit if scaled up for the entire organization.

Where do your targets get information and where do they mess up?

Being in IT Security gives you visibility into where your users get their information and the kind of information they access. Basically, where they are hanging out and what they’re doing there. Keep an eye out for trends and patterns (like you’re not already) to find places of higher traffic. Where are the people you are trying to reach getting information, for their work and not-so-work related information needs?

Where do the people you’re trying to reach keep messing up? Is it around use of a certain application(s), network destination or internet? Just like our kids, we often have to catch them messing up or remind them of a rule when we notice they’re about to do something bad to ensure they are changing behaviour. It’s not that your fellow professionals in your organization are children, its just that many still view IT Security to be IT Security’s problem. They may not realize how their behaviour is a danger to the business. So your audiences need to be informed and re-informed of the rules, consequences and potential pitfalls in the places threat is most prevalent.

Create messages to influence behavior

Our primitive human mind is programmed to be on the look-out for things that are new, different, or may pose a threat on a level of our baser animal instincts. Keep your messages consistent around a central theme of complementary messages or a single message. But keep the delivery of that message dynamic and changing. As we are trying to secure a digital environment, it makes some sense to keep our messages to that space, but the human mind requires similar or complementary messages presented in different ways to break through to our consciousness. Using analogies from outside of the digital space can increase chances that you’ll reach desired outcomes.

Put your skin in the game

Consider putting some of your budget aside to address this with a professional. Many marketing and communication efforts stall when the responsibility for who’s going to pay starts becoming the issue. Consider cost sharing or proportional funding of these efforts going in, so there is a partnership developed and there is common understanding of the resources available to reach the audiences. Strategists, designers, production and placement aren’t always cheap, but there are ways to respect costs in-step with the desired outcomes. Having understanding of the budget going in helps save more time and effort in the long run.

Measure your results

Validate the actions carried out with the desired response through your measurement of the intended outcomes against the info and metrics you collected to frame the issue earlier. We’re not talking about seeing drastic up-ticks in security compliance moments after putting up a poster in the staff lunchroom, but try to look for behavioural changes. If you’ve started with your worst offenders, is there a change in the number of incidents? Is there lower instances of help desk calls, has their network reliability improved? Ultimately, have your efforts delivered the fruit you expected or want? If so, you’re on the right track. If not, you may need more information from your targets and understanding of which messages failed. It’s important to note that humans aren’t as easy to diagnose as systems, they may not perform as expected if something rubs them the wrong way or is placed somewhere they can’t see it.

For more information on building IT Security awareness for your organization, we’re rSolutions and we have access to the professionals that can help.