As many organizations have learned to their regret, a policy for cybersecurity – however comprehensive, proactive, and technologically sound it may be – is doomed to failure if its terms aren’t adhered to by stakeholders of the enterprise, across the board.
This emphasizes the need both for eliciting buy-in to the concept and culture of security awareness, and for management to put the required guidelines, incentives, and mechanisms for implementation in place.
Security awareness training is an important part of this, as providing the information, methodologies, and best practices required for ensuring enterprise security is crucial to engaging employees as active participants in it.
For the management suite, it’s tempting to assume that awareness training programs may simply be achieved through funding: Throw money at the problem, and assume that the instructors will take care of everything else.
While it’s true that an adequate portion of the enterprise budget needs to be allocated to the topic, an effective employee security awareness culture needs to be fostered by management in a number of ways.
Security Awareness and the Importance of Policy Making
Formalized policies for business practice provide structure and consistency in relaying the organization’s message regarding security and other matters. They also provide clear, documented, and unambiguous terms and conditions which set out the rights and responsibilities of stakeholders, and the restrictions, penalties, disciplinary and legal actions which apply in all the cases described.
So a well-constructed policy serves as both a guiding framework for the stakeholder, and a form of statute, distilling the rules and requirements of the enterprise.
Security Awareness – Creating Policies for eMail Usage
The office email and internet access platform is often viewed as a window of opportunity for workers to take care of personal business, get social, and blow off steam – on company time. However, uncontrolled use of these resources can all too easily leave the enterprise open to the risks of infection, compromise, or infiltration from any number of malicious sources.
So it’s imperative to make email and general internet etiquette a part of employee awareness, through the setting up of strong and comprehensive policies governing their use.
Models for this kind of document are available online, but the following points should be routinely incorporated:
- A clear and definitive statement of what constitutes acceptable use of enterprise email accounts, mail servers, and related resources.
- Parameters spelling out what concessions (if any) are made regarding the use of these resources for personal reasons.
- Rules concerning the handling and distribution of enterprise data, intellectual property, trademarks, and other brand-related resources.
- Making stakeholders aware of the powers and practices of management, with respect to the monitoring, recording, and policing of enterprise email activity.
- Setting out the limits of personal privacy which stakeholders can expect, with regard to their use of enterprise email.
- Defining any penalties and sanctions attracted by the misuse of enterprise email and related resources.
Note that similar guidelines should be set out, regarding the use of social media platforms, and their related applications.
Security Awareness – Creating Policies for Mobile Device Usage
Likewise, a policy document should be prepared to cover the use of enterprise-issued hardware and mobile devices and/or personal devices, in the case of a Bring Your Own Device (BYOD) implementation. Parameters and conditions relating to any Mobile Device Management (MDM) or similar scheme should be included in its preparation.
Creating Policies and Incentives for Threat Reporting
Again it must be stressed that the creation of standing policies does not in itself engender a state of security awareness, or encourage stakeholders to take an active part in nurturing it.
Willing participation is most likely to occur when there’s something to be gained from it. And while the prospect of fines, docked pay, or even losing their jobs may act as a spur in making employees toe the company line, the other side of the “carrot and stick” equation may be equally as effective – if not more so.
An active security culture requires its members to play their part in knowing about their threat environment, what tools and methods they can use to respond to security incidents or troubleshoot problems, and where and how to report issues, when they arise.
Recognition for good practices, early detection, etc. should be factored in as an incentive for this kind of involvement. Bonuses, gifts, free time, commendations, or a competitive system of points and merits are tried and tested examples. Organizations may look to the field of gamification, for clues on how to proceed in this.
Creating a Culture of Security Awareness
The road to security awareness remains an uphill path. A 2014 survey by Ecommerce Times named “end user carelessness” as the biggest threat perceived by 80% of corporate security professionals and IT administrators. Similarly, “people” were named as the root cause of some 90% of security incidents in Verizon’s 2015 Data Breach Investigations Report (DBIR).
Other studies have revealed similar results. Many workers (45% of US and 27% of UK employees ) remain blissfully unaware of the penalties that their own organizations impose for suspicious or illicit activity on their corporate networks. And only around 68% of US workers and 57% of those in the UK are even aware that their organization has a documented information security policy.
The challenges to creating a culture of security awareness – an environment where everyone within the enterprise appreciates and understands that they are stakeholders and active participants in preserving its integrity and resilience to known and unknown threats – are indeed considerable. But building and nurturing such a culture isn’t an impossible mission.
Disclosure about the organization’s security posture needs to begin from the earliest stages, including the hiring and onboarding processes. An ongoing dialogue about security matters must then be maintained throughout the duration of normal working operations, with security representation of some kind ideally included within each working group or business unit.
Involvement and leadership from senior management helps instill the awareness culture through the ranks, by example. In more hierarchical corporate structures, a committee of security liaisons may be established to act as “ambassadors for security” spanning different sectors of the organization.
Providing Continuous and Varied Training Programs
If they don’t know about it, or know how, then they can’t be expected to endorse it, or enforce it. Which is why training is such an important aspect in both creating employee awareness and nurturing the environment in which security awareness and best practices become an everyday occurrence.
Awareness training programs may take many forms – but in all cases, their emphasis should be on effectively communicating knowledge, inspiring action and best practices, and putting these principles into effect over the long term, rather than adopting a quick and easy approach which just gets the information out there, and fails to follow up on it.
With increasingly diverse and geographically dispersed workforces, the techniques adopted for training need to be adaptable and wide-ranging, as well. Powerpoint-style presentations and video tutorials will only go so far – and the absorption rates of these traditional methods tend to be far lower than the more interactive and engaging methods of contemporary eLearning (electronic learning).
Interactive games, real-time threat scenarios to test employee readiness and response, screensavers and mobile app notifications for information dissemination, newsletters, blogs, email, and other media may be exploited to provide a continuous and varied program of training, testing, feedback, and orientation.
And awareness training needs to extend to the management tier, as well. In an ideal situation, some representation from senior management should be on the ground when awareness training for the general workforce is taking place – a case of leading by example. But training methods more appropriate to the day to day circumstances of senior management (time-constrained, often on the road, etc.) should also be provided.
Share this Post