Monday, November 21st, 2022
How to Implement a Cybersecurity Awareness Program That Actually Works
Protecting your organisation begins with ensuring your employees are prepared to assist in keeping your computers, networks and data safe. The strongest security asset is already inside the company: the employees. Security incidents can be caused by employees’ and other personnel’s actions or inaction. Human factors always play a role, such as the disclosure of information that could be used in a social engineering attack, the failure to report observed unusual activity, the improper access of sensitive information unrelated to the user’s role, and so on.
The human element cannot be neglected. Digital transformation is something almost all organisations are experiencing daily, but often with behaviour that involves risks to information. As a result, it is important to work on preventing the company’s information from being vulnerable to social engineering attacks by having the right security awareness program in place, with a combination of online modules, onsite classroom-type sessions and regular phishing simulations. Give your users means and processes for reporting suspected phishing emails that evade your security systems.
Here are some steps your organisation can take to implement an effective cybersecurity awareness program.
1. Convince the Board / Senior Management and prioritise cybersecurity awareness organisation wide
Many CIOs and CISOs are faced with challenges when it comes to communicating to board members and making them aware of critical risks to the organisation. In today’s world where threats are constant, more risks mean more budget needs. To justify an expense for implementing an effective Cybersecurity Awareness program, you must clearly present the risks. The plan you will implement to protect the company’s assets, and the rationale behind the cost is also important.
You must demonstrate you and your security team’s competency in the most effective manner that is going to translate well and leave your board with no questions. Focusing on the risks versus the rewards can be critical in the board room. While the security team might consider a certain task a significant/major achievement, the board may not have an appropriate understanding of the business implications of this effort. CISOs need to brief the board on the organisation’s top objectives and how they are directly supporting them, as a result, the conversation will be much more productive.
Explaining why training—or the “human” part of a modern cybersecurity strategy—is so important is critical to implementing a successful program. By connecting the significance of cybersecurity to customer service and employee safety you will put, in real terms, how an effective cybersecurity program benefits the organisation.
2. Conduct regular cybersecurity awareness training
To have good cyber security in the workplace, you need staff on your side. They’re your best defence – but only if they’re properly informed and motivated. Your employees are frequently exposed to sophisticated social engineering attacks, making Cybersecurity Awareness Training an important step to take in securing your business against hacking, malware, phishing & other online threats. One size doesn’t always fit all, especially in the case of cybersecurity. We always recommend complementing the usual online cybersecurity awareness training with a yearly onsite training as well. This training should be done by a subject matter expert and can be amended to include aspects that you feel are important. Depending on the size, industry and primary function of your organisation, your training can differ in the level of detail and comprehensiveness.
3. Run regular phishing simulation exercises and learn from them
Phishing simulations play an integral part in implementing an effective Cybersecurity Awareness program and should be carried out regularly. Phishing simulation can also help you identify which types of phishing attacks are most successful against your organisation and which groups of employees to focus more on as part of your security awareness training efforts. When conducting a phishing simulation, we recommend creating a strategy for it first. This strategy should take into account the gradual level of difficulty over time, the motives behind each simulation and the targeted departments.
One thing to keep in mind (and this is where a lot of organisations miss a step!): Your phishing simulation strategy must also include easy-to-follow instructions about how your employees should report suspected phishing or social engineering attacks.
After you’ve run your first phishing simulation, what kind of metrics are you going to focus on? Organisations tend to focus on opened emails and clicked links but the reality is that emails are meant to be opened and clicked links don’t always mean that something malicious has taken place. Keep in mind, modern cyber criminals are looking for credentials and a way in. So, it’s important to focus on the count of credentials entered, count of phishing emails reported and your phish prone score over time.
4. Instil a culture of cybersecurity
Good awareness comes with a good cybersecurity culture. Once initial training has been provided to employees, they should be better equipped to stop a cyber attack in future. You must continue to encourage participation and ensure cybersecurity remains top of mind for them at all times.
Educate your users.
Ensure they are kept up to date on cybersecurity news and incidents. Have a password management system in place. Make sure employees only use strong, complex passwords and have a password manager in place. It may seem like you hear this one a lot, but weak passwords are still quite common. The rule of thumb is that if you remember your password, it’s too weak. Luckily, we don’t have to remember all of our passwords in this day and age. That’s why we recommend secure password managers, like Keeper Security, to generate and securely store your strong passwords.
While secure passwords are great, a single authentication point is not secure enough. With MFA, it’s no longer about granting access based on traditional usernames and passwords; it’s about granting access based on multiple weighted factors, reducing the risks of compromised passwords. It adds another layer of protection from the kinds of damaging attacks that cost organisations millions.
Get a regular independent view of your security controls
Regular, independent reviews are necessary to determine whether your organisation’s cybersecurity posture is up to scratch or whether you’re meeting the requirements of a security standard. We’re all busy and sometimes, having a review might get overlooked, without a proper yearly schedule. Depending on the size and type of organisation, the best way to assess your information security position is against a recognised standard that is both auditable and certifiable. A leading standard that is both auditable as well as certifiable is ISO27001.
5. Analyse & Adjust
The results of the cybersecurity training, individuals and the organisation as a whole should be regularly analysed. Data that emerges from training, whether it’s a failure to adhere to a compliance framework or the results of a phishing simulation exercise, should be used to determine a threat or security score. The program should highlight how secure the company is overall, and individuals who may need retraining as well as determine any particular areas that need reinforcing.
Similarly, successful metrics and statistics from training procedures should be shared to show how training, new policies, processes and other things you’ve implemented are working. For example, if you recently sent out a spear phish, you can share a report on how many people clicked on it and highlight what red flags were in the email so that your users can learn to watch out for those in the future. You could also show how many people reported it to IT and compare it to a previous spear phishing campaign, keeping an overall positive message – showing that more people are getting into the habit of reporting emails.
As with all technology, cybersecurity threats constantly evolve, so you should regularly update your cybersecurity awareness program. Adjust your cybersecurity awareness training schedule based on results from employee assessments and any updated policies or procedures.
Designing an effective cybersecurity awareness training program for your company’s employees can be challenging. The most important thing is to make sure all of your employees are trained and aware. Cybersecurity is no longer the sole job of IT security professionals. It’s a shared responsibility, which requires efforts at all levels of organisations. The smallest actions can have the greatest positive impact.