This article is the 10th in a series of articles by NAV CANADA vice-president and chief information officer Claudio Silvestri about talking to your board about cybersecurity.
Describe how you will engage, train, and inform the employee population
Almost every study I’ve read over the past several years indicates that upwards of 90 per cent or more of cybersecurity events stem from some form of human error, behaviour, or lack of vigilance. This makes employee awareness and training a critical and essential part of your overall cybersecurity countermeasures.
My guess however is that, for many, the percentage of cybersecurity funding or management focus on employee awareness and training is disproportionately lower than all other areas of spending, even though the cost of doing so is very low on a relative basis. The cost:value ratio is inversely proportional to most other elements when you consider the statistic above, so there is no reason not to have a solid awareness and training program.
However, never forget that our ability to change human behaviour for this topic or any other is very difficult and often times fleeting. It requires a sustained and focused approach over a long period of time if there is any hope to create long-lasting behavioural change.
It’s not lost on me that there are many forces at play that need to be understood in the context of the organization’s culture that will inform the approach on cyber awareness and training. You will need to find the right balance between being prescriptive with your policies and influencing the desired behaviours with awareness and training. While both of these are essential, the reality is that policies will only get you so far and they themselves likely suffer from lack of awareness.
One of the most challenging realities in this area of your program is the separation of personal and professional digital behaviour, especially among the younger generations entering the workforce. This cohort of employees is entering your workplace having grown up with the Internet, smart phones, and social media, with little or no restrictions placed on them.
The behavioural change for this group will be difficult, and so your program should be sensitive to this dynamic to avoid the risk of alienating them and creating disengagement. If you have ever tried to explain to a young employee why there are access restrictions to Facebook, YouTube, Snapchat or their favorite website, you will know what I’m talking about.
A good awareness program will take into consideration these sorts of cultural aspects of your organization as you develop the specific elements of the program. These could include the following:
- A mandatory computer-based training (CBT) program. Computer-based training is an affordable, repeatable, and effective way to help educate your employees on many aspects of cybersecurity. It could be run on an annual basis as well as be a requirement for all new employees.
- Phishing Simulations. Phishing attacks are among the most common strategies used by cyber criminals, and arguably the among the most effective. They continue to be increasingly sophisticated, using social engineering to develop very specific and targeted attacks. It’s become very difficult to distinguish the good from the bad unless employees have insights into what to look for.Phishing simulations are also a great way to measure the click-performance of the overall employee population. This is extremely helpful both in terms of how your program should look and also as a measurable statistic for your Board. Over time, you will be able to show progression of click-performance that will be useful in terms of understanding susceptibility of the organization to phishing attacks.Additionally, your phishing simulation program can be isolated to groups that are highly prized targets, such as the Accounts Payable team. Developing a more frequent and relevant simulation program for these employees will help reduce the risk of a successful attack.
- Communication campaigns. Cyber awareness communication campaigns can be highly effective in getting employees to understand the risks faced by the company and how they can help protect themselves and the company.Your internal communications team will be a great partner here. Work with them to understand how campaigns should be structured in terms of tone, content, and channel. When it comes to tone of message, I am a big believer that the drier the topic, the more lighthearted the message should be to increase its effectiveness, even in conservative cultures.For example, the messaging over a password policy change to long and complex passwords will be an unpopular thing. Having a communications approach that is dry and prescriptive will only make matters worse and increase the likelihood of resistance. The use of humor and punchy visuals can be a powerful way to get people to recognize not only what the change is but also why it’s necessary.
Having the right “tone at the top” to promote a security culture cannot be understated in terms of importance and impact in helping change behaviours. Leadership by example is critical, and you must work hard to help the executive leadership of your organization set those examples. This is vitally important when you need support to introduce stronger corporate policies or add controls such as two-factor authentication.
Further, the tone from the top must set the expectation that cybersecurity is everyone’s responsibility — not just that of the IT department. The message coming from the most senior leaders of your organization should reinforce the work you are doing and why it’s critical to the health and sustainability of the organization.
Next article in the series: “Cybersecurity essentials – Third-party assurance“