Building a Security Awareness Program on an Organizational Level
Introduction: A Case Study
Liz Raymond finally had some peace and quiet in her office. The day had been quite chaotic, but now that there were only a few minutes left before a relaxing weekend and that all the financial reports had been completed and sent on time, the last thing she expected was an email from Mr. Evans, her company’s CEO.
During the two years since she had been appointed head of the accounting department, Liz had had little contact with Mr. Evans, who limited himself to praising the effectiveness with which she led the department. However, the message she received was not a complete surprise; after all, it was public knowledge that there were undergoing negotiations for acquiring yet another startup.
“Dear Liz,” said Mr. Evans’ email, “I need your help on a sensitive subject that requires the utmost urgency. We have just finished negotiating the startup deal. However, in order to guarantee the business, it is still necessary to pay $ 180,000.00 in advance. Could you please make the transaction as soon as possible and keep me informed? Also, until everything becomes official, I rely on your usual discretion to handle this matter with complete confidentiality. Here is the bank account for the transfer.”
It was only after hearing the mouse click confirming the transfer, that another click happened within Liz’s mind. She started to notice the small inconsistencies in the message. Mr. Evans was extremely polite, but he had never used ‘Dear Liz’ before. Also, although his signature was correct, there was something odd about the email address. Was that a typo? After a few moments of hesitation, a quick call confirmed that the long-awaited weekend would not be relaxing at all.
Mr. Evans had no idea what this email was about, and no, he never asked for or authorized the transaction.
Fortunately, Liz Raymond and her 180-million-dollar mix-up never existed. But this story, which is much closer to reality than fiction, points us to a hard truth: cybercriminals will never hesitate to use the human factor in order to achieve their goals. There is often no need for advanced malware, and it is not necessary to bypass a state-of-the-art firewall. Instead, with just a touch of malice, some understanding of human psychology and a little emotional manipulation, it’s quite possible to hack a person instead of a machine. There are many employees who, like Liz, do an exceptional job in their daily tasks but become an easy prey for those who master the art of social engineering.
Of course, some attacks can be prevented with the usual controls, but is that enough? Unfortunately, the answer is no. The tactics employed by attackers are constantly evolving, and more often than we like to admit, they can evade even the most advanced protection technologies based on machine learning, AI or whatever the current buzzword is.
As you can see from this scenario, where a single successful attack caused an unacceptable level of impact, it is essential more than ever to understand that your last line of defense sits between the chair and the keyboard. And that’s where raising awareness comes in. After all, if the technology for patching humans and making them resilient against the latest threats is still a few decades away, right now it’s perfectly feasible to educate people so they become true cybersecurity heroes.
Deploying a Security Awareness Program on an Organizational Level: The Human-Centric Approach
To create a good security awareness program on an organizational level, it is first necessary to understand that the challenges are quite different from, for example, implementing a new technology such as a next-gen firewall, a SIEM, or even using artificial intelligence against advanced malware. People usually like to stay in their comfort zones. This is not to say that they do not experience an intense pressure to perform their work activities quickly and effectively, but they become accustomed to routines that can be hard to shake them out of. Most of the time security is not included in daily activities.
The truth is that during a typical day of work, an employee who is not connected directly to the security team hardly ever thinks that he or she could already be the target of the next cyberattack that will expose the company’s corporate data. The fact is that information security is still not an integral part of most people’s daily lives, much less corporate culture. And that is exactly what our awareness program should focus on.
Here are some tips that will help your efforts to ensure that the human factor becomes one of the strongest allies of cyberdefense.
Understand the Corporate Context
As a rule, security works much better in context: that is, when it is properly aligned with the organization’s reality and strategy. There are several factors that can influence how your company deals with security aspects, from the industry segment to corporate culture, standards and policies, down to contractual aspects and laws.
During your program’s first steps, it is always a good strategy to try to create an overview of the corporate context. This includes factors that can serve as enablers for security awareness, such as the occurrence of security incidents, new customer requirements or new regulations, such as GDPR.
This is also a common starting point for most security initiatives. It’s difficult to create significant organizational change without executive-level support.
If you followed step 1 and mapped out the corporate context, you should be able to identify at least one person at the executive level who is willing to help cybersecurity efforts. In fact, with the new laws on data privacy, this has become a reasonably simple task nowadays.
It’s all a matter of knowing how to present your proposal for an awareness program in the appropriate way: that is, in business terms. Just try to avoid a too-technical approach and focus on how the organization can be impacted by a severe security incident. There is no shortage of recent examples!
Understand the Current Security Awareness Level
Once you’ve gotten the blessing of top management for your awareness program, it’s time to take the first practical actions.
A key point is understanding the current level of cybersecurity awareness that your employees already have. It’s possible, for example, to select a few people and apply a blind test. Just be careful to ensure that test participants understand that — for the time being — they are not expected to have and advanced awareness level. The idea is simply to measure the general cybersecurity maturity level.
Define Short, Medium and Long-Term Goals
Ensuring the effectiveness of your awareness program requires defining clear and feasible goals. It is simply unrealistic to expect that, in just a few weeks, your employees will become experts in a subject as complex as cybersecurity; on the contrary, real change in corporate culture will take time.
Now that’s different from saying that you can’t achieve improvement in the short term. For example, based on blind test results, it’s possible to define specific subjects that should have priority or which company departments are most susceptible to a social engineering attack. This will allow you to take specific actions and use quick wins as a way to give momentum to the awareness program.
There are countless possibilities for awareness actions that can be taken as a part of a cybersecurity awareness program. The most common include lectures, seminars, face-to-face training and online education.
A good option is using solutions that bring awareness and education actions into the context of your company, such as phishing attack simulators. If Liz Raymond already had firsthand experience with fake emails, it’s far more likely that she would be able to recognize the threat and avoid the attack.
If possible, customize each awareness action for the target audience. Some awareness tools allow you to create training kits specific to positions or business areas within the organization. Remember: When security is handled in a contextual way, it is much easier to ensure alignment with the reality of the organization. This helps your employees more easily understand and absorb the lessons of the training.
Use Practical Psychology
In terms of awareness, optimism is far more powerful than facts. Many awareness campaigns lose their strength by focusing only on negative examples. Of course, using notorious cases like the WannaCry ransomware as an example of a threat can be helpful and it should be part of your campaign, but you have to understand that the appeal of fear only works when people already believe that the threat is real.
One way to create effective messages is using social proofing techniques. For example, many hotels were trying to encourage their guests to reuse towels in order to save water: Rather than “simply explaining” that this is the ecologically correct attitude they focused on actions such as “most of our guests reuse towels, saving energy and helping to protect the environment. Would you do the same?”
You can try to do something similar for cybersecurity, and instead of using messages such as “pay attention before opening an attachment from an unknown source,” how about using “most of the company’s employees confirm that the email is valid before opening attachments or clicking in links. Would you do the same?”
Creating the right message will require both effective communication and an adequate understanding of human psychology, skills not always found in cybersecurity professionals. Consider getting help from specialists if necessary. Remember, with the right message, your awareness efforts will be significantly more effective.
Define Metrics and Measure the Results
As Peter Drucker used to say: “If You Can’t Measure It, You Can’t Improve It.” Well-defined awareness metrics are essential to understand if the program objectives have been met.
Your metrics may include simple points such as the percentage of employees who participated in awareness actions, or how a group of employees from a blind test had improved after a retest.
Depending on the awareness tools you are using, it’s possible to have a more detailed view. For example, phishing awareness tools usually let you understand which users or even departments are most vulnerable by having statistics on who opened fake emails and what links were clicked.
In general, the idea is to have a basis for understanding whether your awareness program has really achieved its goals or whether improvements and further awareness actions are necessary to ensure that employees are aware of cybersecurity risks.
Make It Fun
It’s obvious that cybersecurity is an extremely serious issue, but that doesn’t mean your awareness program actions should be boring.
People learn a lot better when they are relaxed and entertained, so an interesting idea is to include fun elements as a part of your awareness program. Again, there are numerous options available: From good-humored theatrical performances to quizzes, raffles or a friendly team competition. It’s all about remembering that you want to introduce cybersecurity in a positive way and make employees part of that context.
Treat Learning as Something Continuous
As previously mentioned, meaningful awareness change will not happen overnight. Thus, employee cybersecurity awareness should never be treated as a project (something with a beginning and an end), but as a program with continuous improvement cycles.
Of course, actions such as creating a “cybersecurity week” are a very interesting idea but leaving your education efforts concentrated in a short period of time will hardly bring the best results.
A great approach is combining focused events with multiple small actions divided throughout the year, so that your employees will have constant contact with the cybersecurity subject, and they will always be up-to-date with the latest threats.
As a general rule, it’s unrealistic to expect people to change their attitude overnight, even on such a relevant subject as corporate data protection. Awareness actions should be a constant, addressing relevant issues, using the right message and making sure people feel part of a larger effort.
An excellent idea is to focus on positive aspects, demonstrating that the organization completely trusts the capabilities of its employees and is ready to help them become resilient to the most advanced cyberthreats.
Using this human-centric approach for cybersecurity awareness is a sure way of turning the much-criticized human factor from a vulnerability into one of the most effective defenses against cybercriminals.