We at The State of Security kicked off National Cyber Security Awareness Month (NCSAM) 2016 with a review of how companies can defend against common IT security threats. In one guide, we discussed how organizations can leverage their people, processes and technologies to protect against the likes of phishing and other risks. We then crafted strategies for how companies can protect against ransomware and develop a password security policy. There's just one caveat. Organizations can't leverage the full potential of their people without all of their employees buying into the importance of creating a security culture. But as we all know, most users don't think about security without some sort of motivation. For Week Two of NCSAM 2016, we asked experts in the field how companies can motivate their workforce to help strengthen their IT security posture. Here's what they had to say.
Can you provide examples of how organizations can improve their security hygiene?
Dwayne Melancon, VP of Products | @ThatDwayne
I'm a big fan of practice and involvement. Running regular phishing and even spear-phishing simulations is a good way to help the broader user base in a company understand what business email compromises look like. To increase engagement across the organization (and particularly the exec team), publish statistics showing how each department fared, including which ones opened the email, which ones fell for the bait, which ones reported the phish to the security team, and so forth. I've also seen success from organizations that enter their employees into a prize drawing for every suspicious email they report. All of these approaches get people thinking about security more consciously and encourage them to act on what they see.
Leron Zinatullin, Information Security Specialist | @le_rond
The goal is not to teach tricks but to create a new culture that is accepted and understood by everyone. In order to accomplish that aim, messages need to be designed and delivered according to each type of employee. There is no such thing as a one-size-fits-all security campaign, but some questions that organizations must always answer include the following: "What are the benefits?" "What does it matter? "Why should I care?" "What impact do my actions have?" Security campaigns must discard scare tactics such as threatening employees with sanctions for breaches. Campaigns should be oriented towards users’ goals and values as well as the values of the organization, which should include professionalism and delivery. A security campaign should emphasize how employees can cause serious damage to an organization whenever they engage in non-compliant behavior. That's true even if their behavior appears to be in an insignificant way. Employees should understand that they are bearing some responsibility for the security of the organization and its exposure to risk. Furthermore, the entire organization needs to perceive security as bringing value to the company as opposed to being an obstacle preventing employees from doing their job. It is important for employees to understand that they contribute to the smooth and efficient operation of business processes when they follow recommended security practices, just as security enables the availability of resources that support those processes.
What are the most important factors to improve an organization’s security culture? And who should be responsible for creating that security culture?
Andrew Bycroft, Cyber Security Specialist | @securityartist
If we want to have a fighting chance of reducing cybercrime from its current pandemic proportions to something manageable, we need to begin with developing a culture of cyber resilience. This begins from the top down, with the directors setting the tone and executives driving the cultural changes throughout the organization. While the cybersecurity team should be called upon to provide input, it should not be responsible for changing the culture. Marketing will play a role in ensuring that the key messages are delivered to employees in multiple formats since not everyone learns in the same way. HR will play a role in measuring the effectiveness of the cultural changes. Legal will play a role in ensuring that the change in culture meets regulatory and legal requirements. Finance will play a role in measuring how the cultural changes might affect the financial impact on the organization.
Angus Macrae, Senior Information Security Manager | @AMACSIA
Actively promoting a positive security awareness culture is something we should be doing each and every day as security professionals. In large and enterprise operations, however, it can't simply begin and end with the specialists. We should be trying to empower and support 'security champions' in every area of the business. Policies are still the cornerstone of good security governance, but in order to be truly effective and relevant, they cannot be written and delivered in some detached and myopic 'security knows best' manner. Instead they need to be contributed to and bought into by all key stakeholders to ensure they will actually support rather than hinder core business objectives. Awareness and training are also paramount, of course, but they require an evolving diversity of approaches and innovative methods in order to prevent the messages from becoming stale. Furthermore, as we are familiar with the concept of sandboxing malware, we should be looking to awareness campaigns that in effect 'sandbox people' (to directly borrow a phrase and concept from security researcher Rik Ferguson). That is to expose them to real world examples of threats in a safe scenario so that risks can be understood, lessons learned, and ideally practice improved. 'Phish test' simulations, for example, are a great way to do this.
Are secure behaviours recognized/rewarded? If so, what gets rewarded and how? If not, what would good security behaviours look like in your business environment?
Glenda Snodgrass, President & Lead Consultant | @Glenda_TNE
Good security behaviors are often hard to see, (It's the bad ones that stand out!) but they always deserve a reward in order to encourage that behavior. Studies show that people respond extremely well to praise as a reward when it is earned, which is great because there's no limit to how much praise you can give! Here are some examples:
- Always take the time to give profuse thanks to a user when they ask you to review a suspicious email, no matter how obvious. Those actions show that the user is paying attention to security.
- When networks are audited, report all findings to management, but make it a point to speak personally with users who have especially clean computers and let them know how much you appreciate their efforts.
- It's a dream that an employee will slam the door in your face and demand that you use your own security badge to enter. If they later apologize for being rude, you should respond with "Not rude! No apology necessary! It's great that you are following our organization's security procedures."
I know it sounds kinda corny, but truthfully, these small acts of acknowledgement and praise will go a long way towards building a culture of compliance within your organization.
Nick Santora, CEO | @Curricula
Our team believes good behavior needs to constantly be reinforced to achieve the goal of building a cyber security culture. One way to promote good behavior is by simply guiding your staff to challenge each other. Actions like publicly recognizing a staff member for great security behavior can sometimes be more valuable than rewarding them with gifts or other tangible incentives. There are so many ways to value behaviors and motivate people this way. Such a strategy focuses on long-term behavioral paths rather than a false sense of short-term behavior change based off a single reward system. Build a recognition system with rewards such as lunch with executives, company improvement suggestions, public recognition of the month, or other incentives to make your employees feel empowered for their good behavior as a star employee. This sets an example that other employees will strive to reach, which sets the foundation for building a stronger cyber security culture.
What are some key ways you can demonstrate, by your behavior, your commitment to secure practices at the workplace?
Bob Covello, InfoSec Analyst | @BobCovello
In my workplace, when I present any online demonstrations, my co-workers often glance at me oddly when I reach for my favorite multi-factor token that I keep on a chain around my neck. I never log into any sites without using some form of two-factor authentication or two-step verification, where possible. When they see this in action, it opens a conversation about the multi-factor process. At that point, I show them some other, subtler methods for two-step logins. Are there less dramatic ways to introduce multi-factor authentication to people? Of course there are, but creating a behavioral shift is best done demonstrably.
What does your organization do to strengthen its employees’ respect for corporate policies and compliance frameworks?
Amar Singh, Cyber Security Expert | @amisecured
On a good day, a policy is the last thing on an employee’s mind. It’s unfair to expect employees to understand, let alone comply with, complex policy frameworks often cobbled together with policies written on the back of pre-written templates. To me, the most important aspects of policy enforcements are:
- Engage with every employee and share the message without making it obvious that you are 'talking corporate'. If you take your employees on the same journey that you are embarking on, it becomes easier to share your concerns, your requirements, and your objectives.
- Convey the personal element of why you are enforcing certain rules and regulations.
Keep it simple: any policy document must be easy to understand, easy to digest, and written in simple, plain English.
