Building Effective Cyber Security Awareness
Security awareness training is a big topic, but something lots of organisations struggle with. While more or less everyone recognises that cyber security is not just a technical problem, and that good user behaviour is vital, actually deciding how to go about achieving this can be tricky.
I’ve done a lot of awareness training work with various clients over the last few years, and whilst I think detailed approaches will vary by organisation, it is possible to come up with a generic framework and to identify a number of ingredients that all awareness training campaigns should have in common.
In person briefings
Ok, I recognise for large organisations this is a challenge – having every employee sit through a 1 hour briefing, and dispatching people to remote offices to deliver them, requires commitment. I believe if you can manage the logistics though, it is well worth it.
Briefings like this are really only effective if delivered by someone who has personal experience in security – the content matters a lot, but personal anecdotes and experience can really help drive home the relevant messages. This means it can’t be delegated to local managers, or at least not without losing impact.
Explain something about the threats
Understanding who might target your organisation, and more importantly how they might go about it, can be a useful jumping off point for explaining to people how they can help. When you explain how cyber espionage relies on phishing, or that criminals want to hold you to ransom, it makes the reason for security controls clearer, and demonstrates what individuals can do to help (see the next point).
Focus on specific actions
However you chose to deliver awareness training, ensure it is focussed on clearly explaining the behaviours you want to see. Something I’ve found that is effective is connecting home security with work security. Not falling for phishing emails, not re-using passwords etc are all behaviours people can take away and use even when they’re not in the office.
Avoid vagueness. ‘Consider using a VPN on untrusted networks’ is too vague and requires expertise to do properly (what VPN providers are considered good? What is meant by untrusted?).
Try and keep security in peoples minds
There are different ways of doing this. Phishing campaigns can be effective, though you need to be considerate about how you run them. The NCSC has some guidance on this (https://www.ncsc.gov.uk/blog-post/trouble-phishing) but in general I’d say you need to keep staff onboard and engaged so make phishing campaigns ‘no fault’, don’t do it too often, and ensure people get some short, helpful learning when they make a mistake.
Something else you can consider doing are short bulletins when cyber security stories make the news (although that’s currently most days, so pick your battles). A short explanation of the issue at hand, what it means for your organisation and users, and what you expect them to do, can be really helpful. It keeps people informed, and keeps security (and the security team) at the forefront of their day.
Finally, whatever else you do I think it’s important the security team (or person if it’s just you!) are considered to be approachable and helpful. Emphasise you are there to help. Encourage people to report security issues, and ask questions. Tell them the reasons you put security steps in place, and ask for input if they seem too arduous or insufficient.