A security awareness program can be an extremely valuable tool. It helps an organization thwart active attacks and reduces the amount of weaknesses that can be exploited by an attacker. However, just as organizations differ in size, purpose and mission, the attacks directed at them also differ in method, skill set and motivation.
How can an organization build a security awareness program that takes all of these factors into account to ultimately create a tailored awareness program that fits its unique personality?
This is an important question, since awareness programs usually mean a significant investment in time and funds. If the awareness program is built correctly, however, the organization can actually save considerable funds by avoiding issues such as extended incident response work, forensic investigations, disclosures to clients of any compromised data due to breaches and so forth.
These issues can be catastrophic in impact, but they almost always begin with a small exposure that is leveraged into a larger problem. With this in mind, the first step in building an awareness program is:
Understand Your Organization’s Personality
Put bluntly: what are your weaknesses? What do you handle badly from a security standpoint?
In this instance, an enterprise risk assessment can prove to be very valuable in finding some of these areas. This however can be very expensive and involves much more time. Are there any alternatives?
Consider this option. Most organizations track their security incidents using some type of ticket system, database or even a spreadsheet in some cases. (If your organization is not doing this, it needs to be implemented immediately).
At a minimum, this system should track items such as:
- Incident type (Phishing attempt, credential compromise, spam, hack attempt, successful compromise, social engineering)
- Severity (classified by high, medium and low)
- Incident notes or description
- Incident start date/time as well as the incident close date/time
- Individual reporting the issue (victim or observer)
This information alone can quickly start to paint a picture of how much time these incidents are taking your security team to resolve, and which incident types are truly an immediate threat to your organization. For example, does the data show that your employees are continually falling victim to bogus phone scams? Are corporate machines repeatedly being infected when employees click on suspect links provided in phishing emails? Are certain individuals or divisions being targeted by certain threats? Once you’re able to determine where the weakness is, you can work to create a program that includes standard security items but focuses on your particular area of need.
Another benefit to gathering this data is that it affords your organization’s IR Team with an opportunity to commend your employees for what they are doing well. To illustrate: are employees reporting problems regardless of their status? Do they seek guidance before interacting with a suspect message, or do you find that your IR Team is completely blindsided by certain threats?
Even if employees are reporting incidents after they’ve been impacted, this is a positive action, as it shows that employees know who to contact and that they are seeking guidance. Whenever an employee is engaged in this circumstance, they should be commended then given very specific guidance. This can be information pertaining to how they should handle a similar case in the future, next steps that need to be followed or any other brief information your team deems necessary.
Once this interaction is complete, the IR member should be sure to log the details of the issue. Having the name of the individual can help the security team determine which employees or division are having continual problems and may need more specific training or reminders.
The positive commendation can help to create a spirit of teamwork and can contribute to employees viewing the IR and security teams as allies as opposed to disciplinarians. This will ultimately help the security team by increasing the number of eyes and ears on watch.
Once you’ve identified your organization’s personality and areas that need to be strengthened, you can start to consider communication methods. Which vehicle can be used to disseminate the needed information or training to your target groups? Do you have many common areas such as cafeterias, lounges or other areas where employees tend to congregate or regularly traverse?
Depending on your company’s layout you can consider items such as:
If digital monitors are placed in common areas, the security team can use these to show security related messages that relate to areas that need to be strengthened. If there is a corporate graphics team, they can assist by creating attractive combinations of photos to complement the presentation of these simple security related reminders. The security team can create several digital posters that can cycle through on this medium.
The security team can have their digital posters printed on higher-quality glossy card stock and place these in key areas. The sizes of these posters can vary, and they can be placed strategically near doorways, in elevators, hallways and near offices and cubicles.
Yes, screensavers! This tool has tremendous potential, as computer monitors are probably the device with the greatest penetration in any organization. Everyone needs a monitor, and every monitor has a screensaver.
The image files for digital safety posters can be saved to a network location, and the security team can leverage group policy to push a “corporate screensaver” to all managed devices relatively quickly. This provides thorough dissemination and the security team can have the assurance that all employees will eventually see and read all related security reminders.
Another benefit this option provides is agility. If there is a need to change the message employees see, the security team simply needs to create a different set of posters and point group policy to the new images. When using this option, the security team can create a power management policy that will balance the need for security awareness and corporate energy efficiency.
This option allows your security team to create a presence that is easily remembered by employees. Developing a slogan, acronym or logo that identifies your security team or some function they perform can help in this regard.
Once this has been created, it can be used on awareness messages and awareness tools. Some companies maintain a small budget to purchase small giveaways that are branded with the logo or message of choice. If this option is used it would be best to find an item that, while inexpensive, has some practical value to employees. Items like portable power banks, phone stands, stress balls, coffee mugs or microfiber screen-cleaning cloths are things that will be repeatedly used and seen.
These communication vehicles can help a security team create a buzz and in time, establish their presence to employees.
Security Awareness Days
Some organizations also maintain a budget for select days in the year where security items can be presented to employees in a manner reminiscent of a trade show. Using the information on the organization’s specific weak areas, the security team can develop demonstrations of security threats affecting the company. For example, if phishing is a problem, demonstrations such as “How to detect a malicious message” or “What is Phishing?” may be appropriate.
In some cases, games can be created to impress a particular message on employees. The level of creativity used in developing these games will determine how impactful a message will be to the target audience. These events should be fun, and topics should be presented simply enough so that all can understand and absorb the material.
Security Awareness Tools
As the old adage goes, “practice makes perfect,” and there needs to be a way that the lessons being taught are regularly practiced by your employees. To this end, here is a list of possible tools that can be used for this purpose. This by no means is an exhaustive list but provides a direction in which a security team can move to begin developing a tailored solution.
Social Engineering Exercises
These exercises can help a security team understand how their fellow employees react to diverse situations (requests for confidential information, individuals in unauthorized areas and so on).
Simulated Phishing Attacks
These are very helpful in determining if employees know where to report suspicious emails and whether they react appropriately.
Video Training Modules
The security team can create a knowledge base of training content that be used to teach employees how to be vigilant in different scenarios. If an employee repeatedly falls victim to a threat, having the employee retrained using these modules can be very beneficial.
Physical Security Assessment Reviews
Periodic reviews of office security can show how many employees leave their screens unattended, their clean desk practices and how security conscious your work force may be.
As mentioned previously these methods are by no means exhaustive. However, by following these suggestions an organization can begin creating a security awareness program that can provide practical benefits for its employees.