{"id":2273,"date":"2020-02-20T09:32:47","date_gmt":"2020-02-20T09:32:47","guid":{"rendered":"http:\/\/kusuaks7\/?p=1878"},"modified":"2024-01-04T15:46:41","modified_gmt":"2024-01-04T15:46:41","slug":"the-hard-truth-around-cyber-security-awareness-programmes","status":"publish","type":"post","link":"https:\/\/www.experfy.com\/blog\/bigdata-cloud\/the-hard-truth-around-cyber-security-awareness-programmes\/","title":{"rendered":"The Hard Truth Around Cyber Security Awareness Programmes"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

<\/h2>\n

5 key points to drive culture change around cyber security<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tCulture and governance are key to drive change around cyber security behaviours, but too many awareness programmes focus simply on superficial technical gimmicks. Let\u2019s start by deconstructing 3 clich\u00e9s which have been dominating the security awareness arena for the past decade.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Clich\u00e9 #1 \u2013 Cyber Security is Everybody\u2019s Responsibility<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tAt face value, this is truly a very dangerous argument to manipulate. To answer it using another clich\u00e9, there is a fine line between something being everybody\u2019s responsibility, and the same thing becoming nobody\u2019s responsibility<\/a>.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe key here is to acknowledge that while each employee may have a role to play in securing the firm\u2019s assets, those roles do vary from function to function, and failure to communicate with each staff member in meaningful ways in the context of their own job will simply not work: Telling HR staff who receive CVs by email everyday not to open attachments is a waste of time.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\nAlso, it is essential to acknowledge that the level of engagement of each employee around cyber security will depend entirely on the level of engagement the employee has with the firm, its culture and its values. It is a natural instinct to protect what you care about. Conversely, it can be a hard job to convince disengaged staff, or staff who see senior management constantly allowed to skip the rules, while they have to adhere to stricter measures.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tSo it may well be that in some form \u201cCyber Security is Everyone\u2019s Responsibility\u201d, but the message cannot be generic and has to be structured appropriately. In addition, the example has to come from the top and must be relayed without exception by all middle-management layers for the message of good practice to work through the fabric of the firm.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThat\u2019s often the most common flaw of many cyber security awareness campaigns: They are owned by the cyber security team and structured horizontally towards all staff, instead of being owned by a board member and structured to cascade vertically through line management. Ownership for Cyber Security has to start at the top. Period. One board member<\/a> should be visibly in charge, and part of their compensation package should ride on it, as we advocated in an earlier article.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tHR management should be involved as well, and they have a key role to play: Specific key responsibilities and accountabilities around cyber security should be distributed across staff members and articulated formally in role descriptions. Staff should be incentivised through compensation and by middle-management to address those aspects of their roles as an integral part of their job, not as a piece of meaningless management jargon.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tReaders may think this is just idealistic and cannot work in most firms, because those layers of management simply would not be interested or would not understand cyber security sufficiently to articulate a meaningful vision around it.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThey may well be right in many cases, but it is also the role of the CISO to stimulate, structure and support that type of engagement.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\nOf course, firms looking to engage in that type of top-down approach to cyber security awareness development will need to have the right CISO in terms of personal profile, personal gravitas and management experience, or may need to evolve their security organisation to bring in a broader CSO<\/a> role.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\nThose necessary exchanges between the security leadership team and senior management will constitute a fundamental awareness programme just by themselves, but any security awareness development campaign can only be truly successful with a visible and credible board member as a figurehead.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIf senior management \u2013 including HR management \u2013 or middle-management are not prepared to engage in a meaningful manner with the fundamental aspects of security good practice, any message anybody may try to drive towards the staff could simply prove to be an expensive waste of money.\n\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Clich\u00e9 #2 \u2013 People are the Weakest Link<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThey may well be, but the key is to understand why and how in the context of each firm, before jumping to ready-made solutions, in particular with tech vendors.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIt has to start from a sound examination of the threats each business is facing. The insider threat may well be a widespread high-ranking business threat in financial services, not so much maybe in logistics or retail.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tOf course, in all firms there will be people who have access to sensitive business information and may be tempted or coerced in certain circumstances to leak it out. But the key here is to understand and address their potential motivations in doing so.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThose motivations \u2013 quite often \u2013 will be rooted in corporate culture, management styles and governance problems. As many areas you are not likely to address through a \u201ctraditional\u201d tech-focused cyber security awareness programme\u2026\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIt is worth repeating this one more time: Staff will protect the firm with a natural instinct, if they care about it and share its values and its purpose \u2013 economically, and increasingly socially as well.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIf that sense of care is not there, if the corporate or management culture is toxic, if employees don\u2019t have a sense that they know where the business is going, either because it is not well managed, or because its industry sector at large is not doing well, a broader communication initiative addressing staff disengagement is required and specialised or siloed awareness programmes focusing simply on cyber security are not likely to succeed.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe key will be to bring staff onboard with a valid corporate purpose they can understand and endorse. The need to protect the firm in general as well as its information assets could be one aspect but immersed into a broader campaign aimed at developing a real sense of belonging with employees.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tHere again, HR, corporate communications and senior management at large have a key role to play. One senior executive must visibly own and drive the initiative. Once again, this cannot be siloed and left to the CISO and their team.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Clich\u00e9 #3 \u2013 This is all about \u201cAwareness\u201d<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tHow can it be that some firms \u2013 and their CISOs \u2013 still believe that their staff \u2013 apparently \u2013 do not KNOW what to do to protect their organisation from cyber threats?\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tMany people \u2013 at individual level \u2013 have experienced fraud attempts or virus attacks; data breaches and cyber-attacks are constantly in the news, and many online platforms and service providers have strengthened considerably various of their security measures, for example around multi-factor authentication; increasingly, people are getting used to those additional layers of security in their everyday life.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tMore importantly, security good practices have been well established for 2 decades and have not evolved that much: \u201cDon\u2019t write down your password\u201d meant the same 10 or 20 years ago\u2026\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tAnd large firms have spent collectively hundreds of millions across the last 2 decades on so called \u201csecurity awareness\u201d programmes, not to mention governments and their agencies.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tSo where did it go wrong with those programmes?\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe problem is that most of those \u2013 over time \u2013 have focused too much on making sure people simply KNOW what to do around security, and not so much in giving them incentives to ACT on it, or dealing with the roadblocks preventing staff from enacting good practice.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tJust \u201cknowing\u201d what to do to protect your organisation is simply not enough; only the right actions and behaviours can protect the business, so \u201cawareness\u201d by itself is never going to be sufficient without incentives to act and \u2013 where necessary \u2013 culture change.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tIn addition, as detailed above, many of those programmes have often fallen short of expectations by being too generic and not rooted in the right cultural context.\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tFake phishing campaigns are a good example of where it goes wrong: They have been all the rage for the past few years but often they contribute to the build-up of a \u201cnasty\u201d culture around cyber security: Employees feel tricked and embarrassed, and those are not emotions which are likely to build a favourable ground in which to root good security practices.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tSending random emails, forcing people to follow online training programmes, putting up posters or distributing mouse-mats may well put ticks in compliance boxes but what does that achieve in real life?\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tSuccess criteria (\u201cWhat-Good-Looks-Like\u201d) remain vague, qualitative or anecdotal in many campaigns (for those that are not designed as a pure box-checking exercise to address some cheap audit point)\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThat shouldn\u2019t be the case, and as a matter of fact, the issue of metrics should be central to any cyber security awareness programme and built in from the start.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tBut it is a really difficult topic, which is why it is frequently side-stepped.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\tThe only way to address this is a meaningful manner \u2013 for firms large enough to do this \u2013 is to fall back on traditional marketing and polling methods:\n