Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.
Here’s how you can lower risk by changing attitudes from top to bottom.
When it comes to defining an organisation’s mission and vision, a lot of time is spent refining and getting it right. However, when it comes to making security awareness part of that overall approach, this isn’t the case.
With security awareness, creating a mission typically equals checking a box when really, it should be about commitment and underscoring the importance of security. A commitment to security from every employee and an understanding of how important it is to be secure should be part of an organisation’s guts and what makes it successful.
But to facilitate this, your awareness training must first engage your employees and engagement is definitely not just checking a box. It’s about going from compliance (“I took the training”) to commitment (“I learned from the training and modified my behavior because of my newfound awareness”).
Getting everyone committed is a key element for making any cybersecurity program work, but it is exceptionally difficult to create what is essentially a dramatic shift in corporate culture.
Four Cs of a Cybersecurity Awareness Program
In his recent post Why Employees Habits Are Cyber Risks, Josh Douglas wrote about the four key “Cs” on which cybersecurity awareness programs will either succeed or fail: compliance, commitment, complexity and culture. He argued that culture is the hardest to change and move the needle on, but at the same time, it’s the one with the most impact.
My takeaway: with the right approach, you can not only build a program around cybersecurity awareness but have that program foster behaviors that are ingrained directly into the day-to-day behavior of your employees, specifically the instinct to “stop, think and verify.”
5 Steps to Changing Corporate Behaviour Around Cybersecurity
Cyber awareness training is paramount when it comes to shifting behavior for your employees and lowering risk. The key is to make sure senior leadership rallies behind it to create commitment for a strong and lasting cybersecurity program. Here’s how to get started, in five steps:
Get buy-in and commitment from senior leadership
Behavior in a company always starts at the top. To get your whole organisation on board with cybersecurity awareness, those key stakeholders that set the tone for everything you do must be your biggest champions. If they aren’t, it’s going to be very difficult for your efforts to success.
Annual or quarterly training – which we found is what 52% of organisations do according to our research – isn’t effective. Your employees will take the training and likely forget about it until they do it again next year. Conducting the training in short bursts monthly will work much better.
Make sure training is engaging and fun
Nobody likes training that’s boring, dull or makes you feel like you’re being preached at or talked down to. Injecting humor into what you’re trying to provide can be a great start to an engaging and effective cybersecurity awareness training program. And keep it short. EVERYONE is busy. If you can’t get your point across in three-to-five minutes per training session, you are doing something wrong.
Underscore the importance of basic security hygiene
Context is critical for your program to work. Provide real-life examples of how your organisation may have failed and consequently suffered a cybersecurity breach. This will provide added weight to what you’re trying to accomplish. And while phishing is the number one attack vector companies face, it’s not everything.
Basic security hygiene means not plugging in unknown USBs, not talking about proprietary information in public places, not leaving your screen unlocked when you step away to grab a coffee. A little bit of heightened situational awareness goes a very long way to keeping the entire organisation safe.
Keep track of performance and effectiveness
You’ll need to find the correct metrics to show how your program is working. Otherwise, you won’t get the support you need to continue doing this important work. Click-through rates of your program elements are a good place to start.