With the plethora of technology-based controls that have been brought to bear upon the would-be threat of evil doers the world over, cyber attackers have had to refine their tactics to focus on that asset which remains unsecured, the employee. Just like any other system in our organization, “we the human” handle sensitive information, we communicate with other humans in our network, and we process requests and produce output. Unlike other corporate systems though, we can’t be laden with a host of endpoint detection, data loss prevention, and SIEM clients (though sometimes we’re still sluggish to boot-up in the morning). These truths require us to shift our information security focus away from cyber, and delve into the realm of communications, training, marketing, and corporate culture. It turns out that combating our cyber risk now requires a soft-skills solution, a fact that many organizations have come to recognize. According to the Verizon 2021 Data Breach Investigations Report, social engineering leads the pack in causes that lead to a breach, and 85 percent of breaches involved a human element. With that in mind, the first question that always gets asked is… “how?”. You mean to tell me that if I want to bring our risk within appetite, I’m going to have to change hearts and minds? I agree, the idea of trying to shift a corporate culture feels daunting, like trying to move a mountain with a megaphone. There are a couple of key principles to keep in mind when tackling this particular bear, and that’s what I’d like to talk about today.
“Awareness is not a part-time gig; it is a full-blown security control and requires full time attention to keep it running.”
The technical side of managing human risk involves good access controls and passwords standards, and it isn’t uncommon to find organizations whose primary use for awareness programs is simply to meet compliance requirements. This is a critical need to be sure, however there is great opportunity presented with a more mature program for lowering organizational risk. SANS has developed a model that greatly helps to quantify and track the maturity of your program (and thereby the impact that it’s having). They have broken it down into 5 stages, with each stage comes a greater level of security. They are broken down into clearly defined objectives, how your organization goes about meeting these objectives will vary slightly, however there are some key components that are ubiquitous to successful programs. For starters, you will need someone who is dedicated to the role of running the awareness program, with a title to match that role. Awareness is not a part-time gig; it is a full-blown security control and requires full time attention to keep it running. Statistically speaking, programs that are shown to have significant impact on the security of their institutions will have at least two FTEs dedicated to the effort. Following that, the program is obviously going to need good support from stakeholders within the organization, whether it be from key executives, line of business leaders, or internal marketing and communications teams. At the end of the day, moving the corporate culture needle is a social effort, and having supportive relationships with these key team members will prove essential.
Once you have the support that your program needs, the next question you’ll probably be asking yourself is “well… what now?”. The first thing you’re going to want to do is establish what employee behaviors pose the greatest risks to your organization, what behaviors are needed to manage those risks, and prioritize what needs to be tackled first. Employees need to be engaged in a manner that not only makes them aware of what needs to be done, but also makes those behaviors easy to adopt. Defining what these risks are may seem a tricky proposition at first, but this is another point at which those relationships with your internal teams such as security operations will prove invaluable. They will likely have some statistics on what risky behaviors they are dealing with on a daily basis, whether it be from phishing, data loss prevention, privilege abuse, etc., and this can give you a good starting point for what behaviors you need to direct your attention to. The human cyber risk spectrum is broad, and we could go on ad nauseam about the threats posed by social media usage, email, public networks, weak passwords, social engineering, data disposal, yada yada yada. The point here is that there is no real bound to what your awareness program can address, but don’t get too bogged down with minutia, and focus on those topics which will have the greatest impact on your risk.
Engagement comes in many forms, and what you’re able to do will in large part come down to your corporate culture, your budget, and your support. Remember that we live in a world where information needs to be digestible, and it is important not to overburden people with information that they don’t really need. Annual training may be necessary, but it will never have the impact that a continuous program will have. People need behavioral priming, self-efficacy, social proof, and whatever other social psychology buzzwords you want to throw in there, in order to start changing behavior and ultimately produce a more secure culture.
I’m running out of room here, so I’ll leave you with this; no aspect of your human cyber risk will ever be zero. Awareness is about managing those risks. Engage your workforce in a positive manner, make it relevant to them, and make your desired behaviors easy to exhibit. There are lots of resources available out there for those looking to delve into the awareness realm, as well as vendors who can help to make the delivery of content more efficient and impactful. Security is often viewed as a negative, having impact on hard working employees’ ability to do their job. Awareness is about changing that perspective, so remember to be creative, and have fun!