Security Awareness Starts with Caring

It’s October and that means it is Security Awareness Month. Security awareness has become an integral part of many organization’s cyber risk management strategy and it makes sense to do so. Our users have extensive access to data and systems worth protecting and cyber criminals are bypassing our expensive cyber security toys by attacking our users.

Security Awareness Month was started in 2003 by the Nation Cyber Security Division of the Department of Homeland Security in an effort to help Americans and by proxy the rest of the world, stay safe and secure online through awareness campaigns. It was a simpler time back them, but NCSD realized that without public awareness of cyber threats, the public was doomed to continue to fall victim.

The inception of the security awareness month eventually led to enterprises adding cyber security into their internal training programs and has created a handful of companies that specialize in cyber security computer based training.

However it is 2019, sixteen years after inception and we still see citizens and employees falling victim to cyber criminals leading breaches. So naturally we need to question the effectiveness of security awareness training.

I worked for a large enterprise for many years and I know first hand how apathetic employees are to MOAR internal training. Enterprises have been attempting to incentivize staff by making security awareness mandatory, as boring as possible and tied to a bonus. A winning combination for compliance.

Do Security Awareness Programs Suck?

First I think security awareness is really important. We are all digital netizens and are going to continue to be stepping on and over cyber security landmines at home and at work. However, the dry internal training as well as the out of the box computer based training (CBT) solutions out there, leaves a lot to be desired and we clearly are not seeing the uptake you would think we would have with provide such important knowledge to modern day digital citizen.

The apathy towards this type of training is not because we don’t already know the Internet is a dangerous place but rather because we do not understand its value to us beyond our day job. That is a major problem. Enterprise training programs are are designed for one thing and one thing only, the business. Employees who have had to go through various other training regimes have become apathetic to the business needs and are just as likely to spend the hour trying to figure out how to cheat the completion of the course, rather than actually completing the course and learning something.

So How Do You Make Security Awareness Effective?

I have approached cyber security awareness differently. While the end goal still stays the same: reduce the risk to the business, I spend much more time with employees to ensure they care. First, I do not lead with a monotony of boring CBT videos but rather do in person Lunch’n‘Learn style presentations with smaller groups.

Second, I start off by telling the audience that the presentation has NOTHING to do with the cyber security of the company but rather a discussion how they can keep themselves safe on the Internet. I cover various topics on the who/what/where/when how of cyber crime, how they can detect Internet bad guys and things they can do at home to avoid becoming a victim. The goal of this Lunch’n’Learn is to have the audience recognize the value of this information and bring it home to the dinner table that night to discuss with their kids and/or parents, both vulnerable demographics. If your employees care about cyber security at home, they are going to care about cyber security at work.

Third, the presentation naturally migrated to a town hall style discussion which enables attendees to ask great questions as well as build bonds with other team members who realize they are not alone in not being cyber security experts. By encouraging employees to care about the training as it pertains to protecting their loved ones, they naturally want to know more, ask better questions and proactively seek further knowledge. When follow up CBT training is offered, we see a larger uptake in participation and measurable reductions in risk across the board.

When your employees feel that the business cares, they also care which will result in a net benefit to both employee and employer. Cyber security is everyone’s responsibility and building awareness is an important step to preventing your employees or company becoming the next victim.

If you would like to learn more about how to improve security awareness within your team, we are here to help.

Alex Dow