Security awareness

Getting Buy-In for Your Security Awareness Program

October 29, 2018 by Mahwish Khan


When thinking of security awareness programs, some people already go on the defensive, saying that it is pointless. If they don’t say it, they still act like it. The real question is: with this kind attitude becoming endemic, how will you give value to your Security Awareness Program? What will turn it into the gold of security training on any level? Why would anyone inside your corporation or — if you want to extend your area of influence — outside of it choose to buy in?

The answer must be presented from all perspectives. There is no short answer, because factors of influence determine the value of your program.

There is also the issue of employee mindset: Some people may feel like you are putting pressure on them just to give you another reason to keep them at the same salary level. They may also resist you sending them off to longer training, due to feeling less valuable than their more successful colleagues.

Get Mentalities Straight

Before even attempting to get buy-in, you need to explain not just the whys, but also the dos and the don’ts.

The first issue is that any such program will try to redefine attitudes, mentalities and actions. In recent years, there is a higher risk than ever before of being scammed, having money stolen, having one’s identity stolen and everything else one can think of. Ransomware attacks have been down a bit in the previous months, and other identified threats have also been in decline, but the numbers are still far too high.

And there are newer, even more explosive attacks out there, putting pressure on large corporations each day. No matter how well-trained the corporations have become, the attackers have gained extra knowledge as well. While consumer ransomware attacks may have declined a bit, there were still over 100,000 infections from January to June 2018. Experts foresee a rise in ransomware expected in the third quarter of the year.

Targets are mainly aimed at individuals and their personal data (or PII, Personally Identifiable Information), as well as companies. Attackers clearly want to earn even more money on their newest tricks.

Anyone you want to get buy-in for your security program for, whether employees, executives or outsiders, must know that how they respond to any attack is what advances or stops the attack. It is interesting that even today, the favorite and easiest attack is through email or man-in-the-middle attacks. These two insurmountable classics are still king.

But how do you distinguish a real email from a scammer’s version? Today, even scammers use real URLs, real information, real logos and real contact data, or will just change a phone number while everything else is 100% accurate reality. How will a person know they’re targeted by an attacker?

The Value of the Program

The following areas of training must be assured to give value to your security awareness campaign:

  1. Teach them about passwords. There are still too many people using default passwords or simple-to-guess passwords which match over ten different accounts. Is it laziness? A lack of training? A bit of both, probably. The right mentality will help you understand how crucial a secure password is, and how important it has become to make your passwords as sophisticated as possible, having different ones over different accounts.
  2. Social engineering is on rise, and you need to discuss the tactics, approaches and must common victim mentalities.
  3. Legal obligations are rigidly enforced against companies. It’s not just about getting a buy-in to spend money, but it’s legally and morally the right thing to do. All areas of your company staff need to be aware of this, as they all need to act and function as a team.

Bad Things Can Really Happen to You

There is a massive misconception around the targets of cybercriminals. Some people assume that if they don’t work for the FBI or the CIA, their private information is not worth the attacker’s time. Others think that since they are not the CEO at the company that’s hiring them, they wouldn’t be targeted. And the likelihood of their company being targeted must be so low as to be not worth worrying about. Right?

But today, attackers are looking to gain as much money as they can. Bitcoin payments make it simple for them, as they can request all payments to be made in Bitcoin to an anonymous account. They know how to hide their identities and will choose targets based not on who’s the highest profile, but who can get them the most money for the least amount of effort.

One can’t assume that the police will catch these people, either. Sometimes they catch them, other times they don’t. Even if the police hired an ex-hacker to do the job, it’s not always enough. Hackers will many times know it even better — they need to stay protected from fellow hackers as well.

By using a real story of a real company with ordinary employees being victims of a giant attack, you can make a good point to the people you need buy-in from. There are many simplistic ways an attacker can get hold of an entire company, such as:

  • Pizza boy planting a malicious USB stick while an employee was checking their wallet
  • Attacker’s network has people working for them who got hired at the victim’s company on purpose. Their connection to the criminals can’t be proven and it’s not on record, but they can subvert the company from within
  • An attacker played the “hurt ex-employee” on a social network just to obtain information, and some frustrated employees answered and fell for it

Every person must understand the implications. If your company is targeted by an attacker group, whether it’s your personal mistake or not, it can cost you your job. They could be forced to fire you — not because you were wrong, but because they’ve used a lot of money to pay for improperly-managed data through a ransom attack. There are so many things that can happen.

Show Appreciation, Involve People

It is optimal to design a mutual trust agreement within your company and ask everyone to forward any weird-looking or even normal-looking emails to a tech expert —  someone who knows his way around security issues and knows how to identify attack emails. To motivate your employees, it is also good if you can give them something in return, such as extra benefits, more free days or even a salary increase. It doesn’t have to be a lot of money, but you can still have bonus payments for all employees who followed internal security protocols.

Ransom Attacks Will Still Not Be Stopped

A ransomware attack can happen at company or personal level. Just because some people think they won’t fall victims doesn’t mean they won’t. Hence, stressing the importance of special training and testing, as well as the explanation of former attacks that hurt people and companies, is the best way to make your case.

Which websites are visited? It matters. Do you have the latest updates installed on your computer, including all relevant software? That also matters. (These values and principles have to be taught, as buy-in will come with the desire to be informed.) Updates generally stop any attack that is based on exploits, which is still something attackers love. They seek to find newer and newer exploits, anywhere and everywhere.

Combine Harsh Theory With Fun

Last but not least, you can’t just base everything off technical terms and technical training. Yes, being technical is indeed crucial, just not enough yet. Include fun, make it part of team-building or come up with other ideas. It’s all about creativity, but that still won’t stop you from building a strong security awareness program.


Cybercrime tactics and techniques: Q2 2018, Malwarebytes Labs

Three Ways to Gain Employee Buy-In to Your Company’s Cybersecurity Plan, WingSwept

Posted: October 29, 2018
Mahwish Khan
View Profile

Mahwish Khan is a Pharm-D graduate from The University of Faisalabad. She is experienced in technical writing. She currently works for a university as a technical trainer and documentation specialist. In the past, she has taught university writing courses and worked in two university writing centers, both as a consultant and administrator.