By: Jay Allpress on September 27th, 2018
Create a Company Culture of Cybersecurity Awareness
4 Ways to Build Security Awareness at Your Company
We’ve all seen security breach headlines. Even major companies like FedEx, Reddit, Under Armour, Unity Point Health, and just last week, Facebook, have all had cybersecurity “issues” in 2018. Information Security Programs at most companies strive to keep these events from happening, detect them when they do and respond in a way which effectively mitigates the related risk.
I think it can be assumed that most companies prefer to not be breached at all. While prevention is not always completely possible, there are some basic aspects of building a company culture of cybersecurity awareness to reduce the risk of an incident from occurring, help detect one and lead to an effective response if needed.
Security Tone Needs to Come from the Top
Even with senior leaders buying in, it is sometimes difficult to get everyone to pull the rope in the same direction. When it is apparent to employees that senior leaders don’t believe in the mission and vision of a cybersecurity program, the likelihood of them behaving in a secure manner dips accordingly. Why should employees report that suspicious email when their leader scoffs at doing so? Here at GreatAmerica, our motto is “Security is baked into everything we do.” Everyone has to roll the pin so to speak, and that starts with leadership. It is a simple concept, but paramount for success in prevention, detection and response when it comes to cybersecurity.
Provide Security Awareness Training
Keep it simple. Your cybersecurity training won’t turn your employees into cyber experts able to sniff out a foreign-based criminal entities and their tactics. Your security awareness training should provide safety tips and enable users to understand that it’s okay to be suspicious and react accordingly.
Focus the cybersecurity training on enabling users to understand the basic status of the cybercrime industry, how they will be targeted and why, and what they should do if they are.
There is no need for a shock and awe security campaign. Employees generally know cybersecurity is a big deal, but it helps to provide perspective on just how big of a deal it is without getting carried away. There are some pretty astounding numbers available to frame up cybercrime these days. Costs related to cybercrime are expected to reach over $2 Trillion, with a “T”, worldwide for the calendar year 2019 (Juniper Research). You don’t need fancy pictures of masked figures in the shadows to make it clear cybersecurity is important.
Ultimately when communicating with employees about cybersecurity, you are trying to shape behavior. Appropriately educating employees about why and how they may be targeted by cybercriminals is a great way to shape behavior without the hyperbole that sounds really cool, but seldom resonates beyond the training.
Give examples of how actual employees have been targeted by cybercriminals, how they handled it and how they should have handled it if needed. Real life, relevant examples go a long ways.
Create a Cybersecurity Program Theme and Encourage Recognition
I mentioned “baking security” into everything you do and equating that theme to users “rolling the pin.” It’s kind of a silly theme, but it’s one that seems to resonate well with employees. Find a theme that your company can easily understand, and helps them equate the theme to their participation in practicing network security safety.
When users see a rolling pin, I want them to think about security and how it applies to everything we do. When users report a suspicious email, share a cybersecurity story with their team members, etc., I like to reward them with a small rolling pin with the words “Security Champion” on the pin along-side elements of the company logo. “Nice job! Here is your cheesy award!” Cheesy as it may be, people appreciate being patted on the back for their efforts and it reinforces good cybersecurity behaviors.
Practice Social Engineering Testing
Once you have a cybersecurity program in place, and you have properly trained employees on how they will be targeted, it’s time to test. What better way to gauge your culture of security than to test internal users with phishing emails?
Make it mirror how you are actually targeted by cybercriminals. If you have 300 employees, when is the last time they were all targeted by a phishing email all at the same time? Very rarely I would guess. Typically cybercriminals target a handful of employees in hopes of getting clicks without alerting the entire company. Target 10-20 internal employees at one time, and give the emails a few days to work their magic.
Understand what is normal scoring. Should you expect a 0% failure rate every test? That’s probably not realistic. But if you have a 50% failure rate, you may have deeper issues. Information on industry averages is out there. Figure out what that is and then react accordingly if you can’t seem to reach that level of success in your security testing.
Use the social engineering test results as feedback. Use test failures as a reason to contact employees individually and reinforce how they should have responded to the phishing email.
Cybercrime isn’t going away. In fact, it’s expected to grow at a healthy rate into the future. That means having an effective cybersecurity culture in place at your company is not only important now, but will continue to become more crucial in the months and years ahead. Build a security program with an easy to remember theme, simple and clear training, and test everyone involved.
Ultimately you want to prevent cybercrime from affecting your company, determine if you were impacted and respond accordingly. The key to doing all those things well can be addressed by building a culture of cybersecurity excellence.
Jay Allpress, Vice President, Information Security at GreatAmerica Financial Services, has been actively involved in physical and information security for over 25 years. In his current role at GreatAmerica, Jay is primarily responsible for the development and delivery of a comprehensive Information Security Program for the organization. Prior to joining GreatAmerica in October, 2017 Jay performed similar duties for Hills Bank and Trust Company from 2001 to 2017. Jay served 10 years in the United States Air Force and Iowa Air National Guard. He is an active member of Safeguard Iowa Partnership, Infragard and is a Certified Information Systems Security Professional (CISSP) and a Microsoft Certified Professional (MCP). Jay received his Associate of Applied Science degree from the Community College of the Air Force in Electronic Systems Technology.