Article

The best ways to boost cybersecurity awareness

With the volume and sophistication of threats faced by organisations growing all the time, new approaches are needed if cybersecurity awareness is to keep pace.

By Tim Ferguson

Tue 12 Feb 2019 @ 10:58

One of the best weapons an organisation has against cybercriminals is its own employees. Awareness of cyberthreats, how to spot them, and how to deal with them are therefore key capabilities.

Back in 2017, the Institute of Directors advised that any cybersecurity strategy should include awareness training to be effective, as “the biggest risk, as technology becomes more sophisticated, is human failure”. This is now truer than ever before.

People remain the weak link in most organisations, with Verizon's 2017 Data Breach Digest finding that 90 per cent of data-loss incidents studied involved phishing or the social engineering of end users.

With the volume and sophistication of threats facing organisations growing all the time and individual users being increasingly targeted, the days of annual training sessions conducted as a tick-box exercise are over. Indeed, there is evidence that traditional cybersecurity training is making organisational security weaker.

Continual awareness-building and the development of a good corporate security culture are the way to go. Here are our pick of the most effective approaches:

Customisation

Tailoring cybersecurity awareness training to the organisation is one way to improve its effectiveness. It’s also clear that computer-based training alone isn’t sufficient.

SANS Security Awareness provides comprehensive security awareness training that has been designed with input from designers, curriculum-builders and adult-learning specialists. This makes the training more digestible, improves engagement and helps employees retain the information more effectively.

SANS offers security awareness training classes, computer-based training and other resources. The EndUser Training 2019 Content Series, for example, includes various training content styles and updates aimed at engaging employees whatever their level of comprehension.

SANS also pitches the training at a level appropriate to individual organisations and employees by benchmarking current security awareness efforts. It then provides a customisable mix of end user training that addresses relevant threats and teaches concepts critical to workplace security, while also being consistent with specific corporate cultures.

Gamification

Gamification – defined by Gartner as “the use of game mechanics and experience design to digitally engage and motivate people to achieve their goals” – has been used to successfully boost security awareness for some time.

The factors behind its success include a recognition of positive behaviour around cybersecurity, increased frequency of training and employee engagement. Another benefit is that it can be automated so employees can learn at their own pace and access the training whenever it’s convenient.

Gamification can be used in a number of ways to improve security. For example, SANS engages players by asking them to use their understanding of security behaviours and strategically apply them. The games provide additional elements of engagement such as points, progression and levels. The aim is for players to better understand social engineering and apply secure behaviours in the event of a cyberattack.

Carmaker Ford has taken a similar approach with an online training community featuring levels, badges and trophies to encourage friendly competition among staff members. Meanwhile, Deloitte created communities on its learning portal that encourage employees to enter into friendly competition with peers, with high performers then recognised as ‘security champions’.

PwC meanwhile has developed a gamification system called Game of Threats to help teach business leaders about cybersecurity and how to respond to attacks. The game simulates a realistic cyberattack, to which executives must respond by making quick decisions to minimise damage.

Fostering shared responsibility

Accenture recently highlighted organisational culture as one of four areas CEOs should focus on in relation to cybersecurity. This involves striking a balance between security capabilities and employee responsibility.

By encouraging employees to be more involved in supporting the company security team, they will naturally become more aware of what to look out for. This means more issues will be flagged to the security team, while feedback can be used to continually update processes and tools in response to what users are seeing.

Departments also need to work together more effectively, to improve understanding of the security issues faced and to make security the responsibility of everyone in the organisation.

A good way to make people aware of the responsibilities is to circulate news of compromises and breaches within the industry, and highlight when they were caused by user error or by a lack of knowledge. Details of steps employees should take to avoid making the same mistakes could be included, as well as what to look out for in unusual behaviour from other employees.

In this way, a culture of cybersecurity should develop, making organisations safer from insider threats and help security teams to focus on detection and mitigation of external attacks.