How to Create a Culture of Security Awareness
Among 874 data breach incidents, as reported by companies to the Ponemon Institute for its 2016 Cost of Data Breach Study, 568 were caused by employee or contractor negligence; 85 by outsiders using stolen credentials; and 191 by malicious employees and criminals. Battling the incidents caused by negligence requires more than just a yearly security training session.
Security Is Everyone’s Business
Because the target of most security threats is a human, it’s impossible to expect a small portion of your organization – your IT team – to be able to ensure the safety of all your employees. Protecting the corporation’s ‘crown jewels’ requires an all-in mentality from all employees.
When every employee understands why security is important, what insecure practices look like, and how to stay safe, you greatly reduce the incidents of breaches that arise from negligence.
Tactics to Develop a Security-Aware Culture
Know what you have and who has it. To start, ensure you have leadership alignment on the data and systems to be protected and the level of security required for these assets. This information will help you tailor all subsequent activities around security and security awareness. Don’t rely on just your IT team to contribute to this inventory: chances are there are pockets of critical information they may not be aware of. Go straight to those creating and storing data and involve your entire organization. For example, Washington State University distributed a survey asking university personnel what data they had, and how they were managing the data, in an effort to assess information safety following a security breach.
Ensure a top-down approach. Setting the culture begins at the top. Enlist your senior leadership team to help relay security messages, and ensure they are active participants in any education and security drills you launch.
Jon-Louis Heimerl, senior security strategist at Solutionary, noted an example of leading by example. In one firm, he said, the CEO was trying to get people to wear their employee badges to improve physical security. He sent an email saying he expected employees to challenge anyone not wearing a badge. He then walked around the building without his badge on, and when a low-level worker challenged him, he gave him a $100 bill. It happened twice more on his walk.
“By the end of the day, the stories of the $100 bills had circulated around the company and they evolved to near 100% compliance in about three hours,” Heimerl said. “It cost them about 30 minutes of the CEO’s time and $300. That may have been the best $300 they ever spent.”
Go beyond the policy handbook. While it’s important to have a security policy and guidelines that employees are required to read and acknowledge on a regular basis, relying on just a policy is unlikely to ensure success. Employees need regular reminders of potential risks and ways to avoid risk.
Reg Harnish, CEO of GreyCastle Security, notes that throwing policies and procedures at employees is not enough. A proper training program teaches the “why.” Why is it important to know what a phishing email looks like?
Ensure security awareness remains top of mind in your culture by establishing a regular communications cadence with, for example, monthly email reminders and quarterly activities that inform, test, and deliver feedback. Simulated phishing scams, interactive quizzes that deliver rewards, and short videos are all ways to sustain awareness.
Encourage department-level action. Don’t rely on online activities and communication only. Encourage managers to incorporate security messages in regular team meetings and to debrief on recent security awareness initiatives. Team meetings can be a safe environment where employees can raise questions.
Highlight the ramifications. Stress the importance of all employees being ‘all in’ on security. Individual ramifications can include the need to redo work. Corporate ramifications include financial loss, reputation damage, abandonment by your customers, and potential legal action. Share real-world examples of the significant damages encountered by companies as a result of a breach due to negligence.
Commit for the long term. Security threats will remain an issue and there is no such thing as a permanently secure infrastructure. You will need to periodically refresh your tactics and commit to an ongoing cadence of security awareness training.