Good security depends on people being aware about security issues. A good way to minimise cyber risk is by encouraging people to be more security conscious in the first place.
The problem is people?
People are often said to be one of the biggest vulnerabilities in cyber security, even when they don’t mean to be. Problems range from someone abusing their system privileges, deliberately or accidentally, to unknowingly exposing information after suffering from a social engineering attack. There’s data to back this up: analysis of cyber data breaches from the UK’s Information Commissioner’s Office (ICO) in 2019, showed 90% were caused by human error.
So it pays to make your people more aware about security. It’s our job as security professionals to implement a cyber awareness programme to encourage people to be security conscious, whether yours is a small or large organisation.
We have to help protect our people, not just protect our systems.
Change takes time
Changing behaviour and developing a cyber security awareness programme takes time. Even if you can implement a programme quickly, it doesn’t mean that change will be immediate - on average it takes 66 days. So the sooner you start, the better.
What good cyber security consciousness looks like
A programme to raise awareness and educate on cyber security covers many things.
A good awareness programme:
- covers cyber security efficiently. Not just at a wider business level, but at a low-level, where personnel in specific roles may require more training such as leadership. This is because they are in positions that are more likely to be targeted.
- is integrated with your business processes. An awareness programme should be present throughout your organisation. For example, mandatory cyber security training should align with standard onboarding processes, and happen yearly as part of standard training procedures.
- is distributed effectively. It’s down to you to communicate to your staff clearly, and to make security information easy for them to refer to. For example, have your security policies visible somewhere, and encourage staff to actively refer to them, so they can understand their security responsibilities and behaviour.
Creating a security conscious culture
Here are some top tips for embedding security consciousness into your team. Remember: it takes time, so you’ll need to focus attention on these things more than once.
- Focus on positive messages to reinforce cyber security. Communication is important. Negative and irrelevant messages could lead people within your organisation being disengaged with cyber security, and not see it as something that they can integrate into their day-to-day work.
- Get leaders to steer the message. Leadership should lead by example, following the cyber security programme and showing that it is applicable to everyone within the organisation.
- Keep your guidance up-to-date and frequent. Cyber security evolves quickly and this will shape your organisation’s focus on the messages you communicate. Consider how frequently you communicate too.
- Encourage reporting within your organisation. A culture of reporting issues means incidents are more likely to be detected earlier, potentially reducing the impact of cyber threats. Reports of near-misses help to understand risks that the organisation may face.
- Monitor and measure cyber security awareness. Where possible, try to monitor components of your cyber security awareness programme. This helps you understand how effective your programme is, and how well people understand the message. You can iterate accordingly.
These key factors create and promote the ‘right’ culture by encouraging cyber security consciousness through having the correct focus and reinforcing positivity, rather than discouraging and disengaging people in the organisation.