Human error continues to top the charts as one of the highest threats to an organization’s security. Research from Wisegate’s latest report, Security Awareness Programs: CISOs Share Practical, Simple Strategies, shows that most CISOs identity the user as the most commonly exploited security vulnerability, and for good reasons. Humans are easily manipulated through social engineering or can be counted on to make an error – a weak link of which cyber criminals are likely to take advantage.
The first step in integrating security awareness into your work culture is by making it easy to classify sensitive and non-sensitive data. Instead of creating a complicated taxonomy of security levels for data, create two basic categories: sensitive or not sensitive. Typically employees, no matter what department they operate in, can identity what is sensitive and what is not sensitive. Avoid over analysis and incorrect categorization of information sensitivity by keeping a simple system that any employee can quickly learn.
The second, and very, very critical step in creating a culture of awareness is by implementing regular, ongoing communication and training. Enlist the help of departments that already have experience in communicating effectively and training staff, such as Marketing, or consider using a third-party for training. While none of the Wisegate members we polled depend solely on a third-party for training, about 42 percent use a combination of third-party and in-house training and 50 percent develop all training in-house. Remember that people learn in different ways (visually, verbally, logically, socially, etc.), so be sure to use a variety of mediums, such as webinars, newsletters, posters and coffee talks to teach staff, even if these activities are not engaging the entire company all at once.
Next, you need to break down barriers. Many employees are afraid to bring up security questions or concerns for fear of getting into trouble. Eliminate that fear and create an approachable environment by enlisting security champions outside of the IT department. Security champions should a) have an interest in expanding their leadership role within the company, b) be a member of a different department and c) help relate security goals to their departments as well as help the security team find acceptable solutions. In addition to creating security liaisons, consider hosting informal coffee talk sessions with these liaisons where employees can air their security concerns without worrying about getting into trouble.
Finally, begin measuring the success of your security program to see if your program is working. One thing we say here at Wisegate is you don’t get what you expect, you get what you inspect. Measuring never sounds fun, but it helps to quickly and clearly point out what is working and what is not. Implement annual refresher quizzes and keep track of scores to see what’s working well and what needs improvement. Scores should increase over time if messaging and training are taking hold.
Security awareness is a continual challenge for all organizations. Many, if not most, organizations are relatively new at this, so know that you are not alone. Keep the faith, don’t get discouraged and work with the resources and champions you have to create a culture of awareness.
By Sara Gates, Founder and CEO, Wisegate
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.