Taking into account the traditional critical success factors of security awareness may not be enough to create a security aware environment. There are a number of hurdles that still make you fail. So how can we overcome those?
This post first appeared on CSO Online on November 17, 2017.
Though we spend more and more effort on security awareness, people still remain a key vulnerability and we can often only conclude that security awareness programs are not always as effective as we would hope for.
As indicated in my previous post, it is quite troublesome that even ‘best practice’ awareness programs are not always that successful. I.e. programs that took all the traditional security awareness critical success factors into account, such as: obtaining executive management support, inclusion of internal communication team, making it ‘interesting’, using leading marketing and learning techniques, branding through a clear and distinct identity, implementing behavioral accountability, etc.
Clearly if awareness programs are failing, there is a need to investigate why that is and, where needed, amend the list of critical success factors or add some more nuance. In my previous post, I explored some of the root causes of why awareness programs are failing or less successful, even when executing them by the book. The six main ones I identified were:
- Massive competition from other communication campaigns
- Learning fatigue
- General disinterest of the target audience in the topic
- Digital learning platforms are only partially effective
- Security resources are not necessarily good communicators
- We rely too much on people being able to do the right thing
There are probably no perfect or one-size-fits-all solutions to overcome these hurdles. However, I do want to share some ideas that may help you come to a more effective (as well as more efficient) approach towards security awareness.
Bringing awareness more effectively
- Focus less on the roll out of broad communication campaigns. These broad communications can be good to establish the recognition and brand, but their effect soon wares off. Additionally, you are constantly in competition with other campaigns. Instead put your effort in a diverse array of communication opportunities that can play into the topics of the moment via different means of learning and communication.
- Recognize the limitations of digital web learning, and use them only for the basic, bulk learning initiatives.
- Embrace the power of good live presentations. They allow for interaction and people pay much more attention to what you say. Look for your best presenters, i.e. those that can bring the message in a compelling manner. Make the presentations pull not push – e.g. lunch and learn, hooking into existing team meetings, etc. Allow for enough time to interact with your audience.
- Segment your audience. This will not only allow you to bring content that is more relevant to them, it will also allow you to target specific audiences that pose a larger risk. E.g. Who is handling the most critical information? Where do you see most incidents, mistakes, missed opportunities?
Bringing enticing content
- Make it more personal. Relate it back to what people also encounter in the protection of their personal data and computers. E.g. their online banking, their social media profile.
- Make the content specific to the organization and environment. Not some generic list of do’s and don’ts bought from a vendor. The latter can be good as a starting point, but you have to integrate the context of your organization. E.g. if people are not allowed to use Dropbox, then tell them what the approved alternative is.
- Play into cyber security news events and send out internal messages to showcase the ‘reality’ of the risks and then repeat the key messages. Similarly, ensure internal warning messages about new threats or updates on security incidents sent out to the end-users are either awareness branded or clearly refer to the awareness messages.
- Team up a security technical writer and a person of internal communications with a keen interest in security. Technical writer is maybe the wrong term, because you need someone that is able to translate the security requirements and other content in to layman’s terms. The person also needs to be able to create as much of that content him/herself and not rely too much on SMEs to provide it for him / her. The latter should review and comment though. The communications person will bring the marketing and communication flavor to the content, and be able to package the content in a format that maximizes the impact of the messages.
Enabling secure behavior
- Interact and listen to your target audiences, and feed that back into security enablement. They will tell you when and why they cannot (always) comply with certain requirements. E.g. people may tell you that they have to share passwords at times even if this is against policy. Take these scenarios with you to the rest of the security team and find solutions that will avoid them.
- Recognize that awareness activities will never fully mitigate the people vulnerability. Do not count on people to become experts in security. Instead, make sure that you rely less and less on their good judgement. Enable security by default, or make it otherwise very easy for people to demonstrate the ‘right’ secure behavior. E.g. people continue to choose weak passwords, so go for single-sign-on alike solutions and two-factor authentication. E.g. people don’t encrypt mails when they have to, so go for intelligent and automated encryption solutions, that automatically encrypt mails that contain particular content. In other words, focus on designing systems and processes that make it easy to act securely and don’t give users the option to behave otherwise.
Shift some of that end-user awareness effort towards systematic and comprehensive security training for developers. This will ensure that your systems (over time) have the necessary security built in by design, relying less and less on the correct secure behavior of end-users to protect the data.