Investments in cyber security are wasted if your employees are not well trained. While it has become almost cliché, the reality is that employees are the weakest link in any cyber security defense strategy. If an organization has a poor culture of security, they are easy prey to social engineering attacks, phishing schemes, or password-related compromises.
Every business leader should do a quick sanity check on the amount of money currently invested in cyber security software and hardware versus investments cyber security awareness programming. Investments in technology often dwarf investments in people.
The solution is to start today with prudent and consistent investment in cyber security awareness programming. Building a culture of security does not happen overnight. In this blogpost, we will explore the five most important considerations when designing your cyber security awareness program.
1.Ditch the annual security awareness training
The first order of business is to switch from a compliance mindset to a genuine desire to transform and empower the workforce. A compliance mindset strives for minimum compliance in order to meet a governmental, legal, or industry requirement. A compliance driven approach to cyber security aims to merely check a box on an audit, rather than truly transform the knowledge and habits of employees.
2.Implement a Security Awareness Program, 365-days a year
The solution is to implement cyber security awareness programming that is implemented 365-days a year. A programmatic approach, rather than a compliance driven approach, acknowledges that true employee transformation takes place over time and involves repetition and consistent engagement. Like with human fitness, learning an instrument, or any other educational endeavor, the real results emerge over time and through consistent application.
3.Embrace Micro-learning
Building the human firewall in your organization requires investment in a program the delivers educational content and programming in bite-sized portions, delivered throughout the year. Micro-learning is the delivery of educational content in shorter bursts or packages and reinforced with repetition and reminders.
With micro-learning, knowledge retention and behavioral changes are vastly improved. Micro-learning uses video, short reading, quizzes, and gamification and should take no more than three minutes to complete per session. The easiest way to succeed here is outsource. Most sophisticated IT service providers have solutions to help their clients implement a security awareness program that incorporates micro-learning and a consistent approach.
4.Incorporate Phishing Simulations
Social engineering attacks are one of the biggest challenges for organizations. Social engineering attacks seek to exploit employee trust in brands or habits to get employees to divulge secret information such as login credentials. Mostly commonly, these sorts of attacks show up as phishing emails, which coax employees to inadvertently login to fraudulent websites that are crafted to look like the real, trusted services, such as those from Microsoft, banks, or social media sites. Stolen credentials can be used quickly to hack into corporate email or files systems or leveraged into more coordinated attacks which exploit employee password re-use. The most dangerous form of attack is a “spear phishing” attack, where the cyber criminals do deep research on their target and craft a specially designed spoofed email to someone with access to sensitive systems, such as a financial controller or payroll administrator.
A solid cyber security awareness program should incorporate consistent phishing simulations and tests. When there is an element of surprise and the tests are launched in an unpredictable fashion, the phishing simulations are harder to detect and really test the level of knowledge in the workforce. Again, this sort of sophisticated and routine testing requires that most organizations partner with a third-party service provider to make it happen.
5.Report, Rinse, and Repeat
Lastly, organizations should report on and study their progress towards a better culture of security. The best managed security awareness programs give management insight into isolated problem areas, along with the aggregate performance of teams and the organization as a whole. Again, proactive and positive effort should be invested in employees or teams that routinely fall prey to phishing simulations or who show low engagement with cyber security awareness programming. Additional interactions and training sessions may be called for when individuals or teams are not making progress. The most important point goes back to the beginning of this blogpost. Namely, that real employee transformation does not happen overnight. Building the human firewall requires persistence and patience and the continued focus on transforming and elevating employee habits and knowledge.
At NENS, we specialize in incorporating cyber security awareness programming into every client engagement. We view this sort of programming as a one of our minimum standards for any sized organization. New or existing clients are invited to reach out to learn more about the benefits of our cyber security awareness program.