5 Proven Steps to Building a Security Awareness Program
How does one undertake an effective end-user security awareness program? How can security awareness be measured? Are there regulatory requirements for some verticals regarding appropriate training and user awareness of security issues? How can a user awareness program be aligned with the business?
We recently had an interesting security incident where one of our clients experienced an unauthorized remote access service being used to access an internal Windows server. A privileged domain account was used to access Windows, a password recovery tool was installed, and password discovery activities were undertaken. We alerted and notified the client with a high priority escalation in minutes. They were appreciative of the fast response, but a bit chagrined that one of their users would perform this – they have a VPN solution in place – or was it really one of their users? Fast incident response potentially saved the keys to the kingdom.
It did turn out to be an unaware user, and it recalls issues of user security awareness.
Here are five ways to build security awareness in your organization.
1. Executive Buy-in and Participation
In your business culture, it may be deemed desirable that employees be able to work within your networks and remotely using any device they choose, with little regard for method; that employees don’t feel constrained by security policy to the point of feeling less productive; that security be maintained while being as unobtrusive as possible. These are all valid and can serve up lively debate within security circles. Regardless of individual positions on topics like this, one thing is constant: it is up to the security leader and practitioner to inform the Executive Leadership of the risks. Any user awareness program needs to start with executive awareness.
Risks need to be quantified in terms of dollar value. Once put into such business value terms, along with probability metrics that show US companies have a 27% chance of incurring a $3.5M breach cost over the next 24 months, executive interest should grow. If your company deals with customer PII, PCI or PHI data, there are regulatory requirements that proper training is regularly conducted for those who handle that data. With this interest, security begins to become a part of the businesses culture – this cannot happen without executive interest and support.
Meet with executive leadership at the top and across all departments in your company. Present them with the current state, calculate the risks, and let them share with you their cultural viewpoints, who and what they wish the company to be. Reach understandings about what users should be aware of regarding security risk. Devise policy tailored to this.
2. Create Messages That Matter to Them
Don’t create messages that are long lists of “Don’t do this, don’t do that.” Nobody responds well to negativity, and messages like that are boring. Nobody learns a thing from boring and negative messaging.
“One and Done” isn’t effective either. Security Awareness requires an interesting message delivered at a regular cadence. You can cycle through individual items of your Acceptable Use Policy at regular intervals, delivered as email, newsletters, posts on your Intranet, or using other means seen as appropriate communications channels, the more the merrier. Does your company hold quarterly “Town Hall” meetings? Try to reserve a slot for security in those. Keep the message short, don’t use the opportunity as a deep dive on any single topic or group of topics. Make the message about something everyone can relate to. If that message can be delivered by a C-Suite member, that is extremely effective visibility for security awareness.
You should absolutely include your Marketing Team in creation of your security messages. They have the expertise to format and craft the message in ways that reach people in ways that encourage optimal understanding and retention. Aim for humorous or thought-provoking approaches to your messaging in hopes that the message will stick.
3. MSSP-like Bulletins
If you use a Managed Security Services Provider, you have been exposed to regular messaging about the current threat landscapes. It may be very technical, regarding discovered OS and app vulnerabilities; or it may be topical, more in line with large hacks of Russian banks, the creation of state-sponsored security centers of excellence internationally, breaches that impact all consumers and what can be done to protect yourself.
If you publish newsletters, include this kind of information. If you can inspire any interest across different groups of people in a general sense, they will pay more attention to the security awareness items on your agenda – and you definitely should have an agenda. Include in your agenda not only topics of AUP interest but also things such as Business Continuity Plan (BCP) communications plans and Disaster Recovery (DR) scenarios that are in conjunction with current events. Hurricanes, fires, epidemics in the news? Describe remote access capabilities and contingency plans for force majeure.
And once again, enlist the aid of your Marketers. Effective communications are their expertise.
4. Phishing Training
Phishing simulations and training should be a part of every security awareness program. Show your users the telltale signs of a phishing email. Describe spear and whale phishing techniques. Include stories that show how the Lockheed breach started with a single email to an HR employee, resulting in a Chinese version of cutting edge fighter aircraft – designs worth an estimated $400 billion.
Phishing simulation and training work. Track results at least quarterly, and get creative with your simulated phishing message designs. Some can have links and pose to be an online retailer; others can pretend to be from IT with a request to reset passwords. Each time a user falls for it, they are redirected to a short phishing training, growing their awareness. It becomes gamification of security awareness: can the security guy fool users into falling for his ploy? Soon they will be telling you that they did not fall for your latest – but you had not sent it, proof that awareness levels have saved your business money.
5. Annual Training
You should conduct a security briefing as part of employee on-boarding, and conduct a required annual security training for all employees. There are several vendors, such as Wombat, for very engaging online multi-media presentations of this kind of security awareness training. For example, the training can be a story about a day in the life of a fictional company and the security issues they face across departments, interspersed with quizzes about what the employees should have done in the situations they faced. These can be tailored to your specific awareness agenda, and they provide additional metrics that measure your users’ awareness.
Circling back to Executive Buy-in, results of phishing and annual training should be messaged through the Security and Marketing Departments and communicated to the company by the CEO. This approach not only presents awareness status to the business, but it also conveys top executive sponsorship and motivates employees to realize that in your business, security awareness matters.
User awareness and training is the cornerstone of any security program. Implementation of these five ideas will absolutely establish a security awareness program in your enterprise.