While cybersecurity awareness is all the rage most enterprises lack either cybersecurity awareness entirely, or they are at the beginning of their journey and looking for ways to improve their current situation. According to Fortinet in the ‘The CIO and Cybersecurity: A Report on Current Priorities and Challenges’ report, CIOs rated ‘Hackers/Attackers’ as their top cybersecurity challenge. Interestingly, whilst Hackers/Attackers are ranked the biggest challenge, Cybersecurity awareness across the business ranks lowest, we would argue a safer IT environment starts with Cyber aware employees.
In the Cyber Trendscape 2020 report from FireEye, only 49% of CISOs that participated in the study reported that they are fully ready for a cyberattack or data breach. So, there is a long road ahead to securing your data. Creating cybersecurity awareness in your enterprise takes an enormous amount of effort. Still, we think that stepping on the road of creating a cyber threat aware culture takes smaller measures in the beginning than you think. Though, you cannot forget about the basics – and perhaps the most vital elements of changing your cybersecurity culture:
- You need a person or a team to take ownership of creating a cybersecurity aware culture.
- You need the full support of the leadership of your organization.
- Your employees are your biggest enemies and your best chances in this cause (more about it a bit later).
- It will take a lot more communication than you are prepared to take on.
Before we jump into the core topic, let’s kick off with what cybersecurity awareness is and how enterprises have traditionally been tackling this topic.
Back to basics: what is cybersecurity awareness?
Cybersecurity awareness may sound super fancy but, what do we mean when we talk about IT security awareness? When you decide that you want to create security awareness within your organization, your end-goal is to make sure that everyone understands the potential cyber threats and risks. They need to have the knowledge and skills to do their best to help prevent cyberattacks.
Beyond investing in all the vital technologies (setting up firewalls, buying comprehensive cybersecurity defense systems, and implementing sophisticated IT protocols), you need to develop robust control over security and processes, and awareness of the risks involved can support that. Creating awareness means that you establish a culture within your organization in which people learn to recognize how their online behavior could cause or prevent potential data breaches.
The core foundation of cybersecurity awareness is that your communication and education is on point: all your employees are aware of the threats they face by using the Internet, they know that security is not only your and your team’s job, but their behavior has a crucial impact on your organization’s cybersecurity effort, and you constantly re-enforce their knowledge and skills by continuous education.
While information security threats are on the rise, awareness among employees lags behind. At the workplace, we are using more and more online services, but the idea of a strong security culture is hardly embraced.
The traditional approach to cybersecurity awareness
While security and security awareness may be a priority, the actions don't always reflect it. Traditionally, cybersecurity awareness has been on the table of one person or one team. This could also mean that cybersecurity is not an executive-level or board-level concern, thus the financial support for the cause is limited.
Often, employees could get occasional communication (and very often the responsible person or team lacks the soft skills required for effective communication) or training on cybersecurity (read here Hoxhunt’s CEOs thoughts on why traditional security awareness training doesn’t work) and threats (and in some enterprises when employees make an error, they could get punished for that). Reminding people about cybersecurity every once in a while is not enough to minimize their errors significantly.
The modern approach to cybersecurity awareness
Today, cybersecurity awareness cannot be neglected. This means that to break through the flaws of the traditional way of painfully trying to create cybersecurity awareness, the topic must be on your agenda daily. Now, we will walk you through some of the steps you should take to create a culture of cybersecurity among your employees.
Get leadership support, take charge. and involve all your employees
Like in most strategic activities, you simply cannot succeed without having the buy-in from the executives of your business. According to some, cybersecurity should even be a board-level concern today (as an attack can result in serious consequences). Once, cyberattacks are happening, suddenly, they grab the interest of the board of directors though. Perhaps, cybersecurity awareness should be on their agenda too to avoid incidents. A top-down approach will secure that you don’t only have full support from your leadership, but you also have funds allocated for security awareness to be a priority. Unfortunately, sometimes, the biggest obstacle to creating an influential security culture is the lack of resources.
Take charge of the cybersecurity awareness program
It’s essential to have a person or even better a whole team to lead the program. The difference between the traditional and the modern approach is that in a modern cybersecurity awareness program creating employee involvement is your single most important job.
As we mentioned in the intro, you’ll focus on communication a lot more than you could imagine. You will need to ensure that employees are aware of the threats and possible attacks, and they know exactly how to behave. Since constant communication is such a crucial part of your security awareness program – and it can also be the most challenging and intimidating part, later, we will publish an article solely around the topic to make your job a little bit easier.
Create a plan on how you raise cybersecurity awareness within your organization
Once you have the support of your leadership, and you have agreed on the roles and responsibilities, you should start working on your plan.
Your plan needs to answer the following: what actions do you need to take to create cybersecurity awareness in your enterprise? Before we dig any deeper, remember that all companies are different, thus your approach to creating cybersecurity awareness could take a wholly altered approach than the ones in some other organizations.
Evaluate your current status
Start the process by looking at the current state of information security awareness in your enterprise.
- What is the current security awareness situation in your organization?
- Did you have a program before?
- If you had, did you measure any KPIs?
- Did you create any documentation, policies, or processes?
- Did these work?
- Who was responsible for it?
- Have you gathered any feedback from your employees?
- Did you have any educational programs?
- How did you train new employees on your rules?
- Do you need to create new policies and processes?
It may help to interview different stakeholders just to make sure that you get the full picture on the topic.
In your assessment, you can also refer to the cybersecurity people maturity model. Based on the image below you can identify which stage your organization is in right now and set your goal of where you’d like to be in a year, for example.
Have a mission statement
Having a mission statement for your cybersecurity awareness can support your cause. A clear statement will help your employees to remember why you are doing what you do and how they can have an impact on your organization’s information security.
The mission statement should answer why you have a cybersecurity awareness program, what its overall goal is, how your organization and employees will benefit from it. You could also shortly include the necessary actions you will take as part of the program.
Plan all your activities
Now that you’ve set the foundation for your plan, you should outline all the activities that you intend to do as part of creating security awareness.
This phase will require a lot of research and planning. You will need to tailor the program entirely to meet your organization’s needs and culture the best. Most likely, you will need to find new tools and vendors to support your journey.
It’s up to you how you like to plan: you could, for example, prepare for a year ahead and create a calendar of all the action you need to take, or you could take the approach of planning the bigger picture first and plan the activities quarterly.
It can also be a good idea to be transparent about your plan, so if you like, you can publish it in your intranet for the reference of all your stakeholders – after all, your goal is to align everyone with your initiative. In a future article, we will give some tips on the activities you should consider including in your plan. So, stay tuned for more!
Program for new employees
Let’s not forget about the new people joining your company. Have a great plan in place for them, so from day one, they know that cybersecurity awareness is a priority for you; thus, it is also a priority for them. Starting the awareness program from their day one will make sure that they will be committed to your efforts.
Create policies and processes
People tend to hate policies and processes. You cannot avoid them, though. Make these simple enough to understand and opposed to lengthy documentation that no one would ever read. Make it a part of your program to remind your employees often about the policies and processes in place, so the topic stays on the top of their minds.
Define how you will measure success
Right after communication, this can be one of the most challenging parts of your security awareness program. As creating awareness is an abstract task, the measuring can be quite challenging. One of the most significant signs of a well-performing information security awareness program is when you can prove that employee behavior has changed. Phishing training is one of the best tools to educate people on how to be more secure online and measure at the same time how their behavior is developing as a result of the education program. Companies that are using phishing simulations can prove success and compliance with better metrics.
Just for comparison, typically, in a company that lacks a good cybersecurity education program, phishing awareness generally is around 4% (based on the reported phishing emails/incidents). With infrequent phishing training, this number can go as high as 25%. With automated, frequent phishing training, the results can be stellar: it can go as high as 60%.
According to Ira Winkler (whose whitepaper on how you use machine learning to impact information security awareness can be found here), you could also measure the number of incidents prevented through behavior change. You could say that previously, an incident on average would have cost you 10 000 US dollars. Just count how many incidents you avoided by improved information security training and multiply the above price tag with the number. Whilst you possibly cannot prevent all the attacks, with a good awareness program, you can avoid quite a few. Investing in cybersecurity awareness is a lot more cost-efficient than the cost of the incidents would be.
Another approach would be that you would simply create a security awareness survey (work with the HR department – and you can use for example SurveyMonkey’s ready-made security awareness survey template). You can ask people about their knowledge or even their opinion on the program. Your team can also measure how many incidents have been reported, and this could be an indicator of whether your program has been improving the reporting rates from before (if you had a reporting process in place beforehand).
Treat your employees as your most important part of your cybersecurity awareness program
This probably doesn’t come as a surprise for you. You must engage your employees, and you must make sure that they understand why information security awareness is vital for your organization.
A successful program makes sure that everyone understands that cybersecurity is not one person’s responsibility, but it’s everyone’s. Emphasize that by educating people and helping them to implement changes in their online behavior you don’t only help them to be safer at work and protect your business, but they will also get tools for being safer at home. They can also pass their knowledge and skills on to their families, friends, and communities.
A good program should educate employees about the following: data, network, social media, use of devices, use of WiFi, phishing emails, social engineering, and different types of viruses, malware, cyber threats and attacks.
TIP: Share our guide to recognizing phishing attacks with your employees. Find it here. Don’t make people sit in a classroom a few times a year (like in the good old days), instead, look for training that is interactive, interesting, and quick so your employees would want to participate and learn more.
Promoting knowledge and mindful behavior on your own can be very challenging. Cybersecurity experts suggest hiring firms that are specializing in training and education that boost cybersecurity awareness. Doing content on your own would end up being more expensive and time-consuming than the cost of cybersecurity awareness training.
You cannot appreciate enough the ‘human firewall’ until you recognize how big a role people play in defending your security. (By the way, did you know that 95% of cybersecurity breaches happen due to human error?).
Deploy the program
Once you’ve done all the above, there’s nothing left than to “deploy the program into production”. The key to success is to communicate, communicate, communicate, and make the campaign as inclusive, interactive, and exciting for all your employees. Emphasize that all employees are responsible for their activities. At the same time, when you try to create a positive vibe about your program, penalizing those who fail is maybe not the best approach. Focus on how your employees can succeed on their way to gather more knowledge and develop their skills about threats they are facing when going online.
Start thinking of how to implement your very own information security awareness program
Congratulations, you have just gone through this long guide to how to implement your very own information security awareness program. As this is only the first part of a series of articles we are going to publish, you should stick with us for more (you can subscribe here) – and hopefully, these tips will make your daily job just a bit easier.