Before we jump into the world of technical controls and security settings to help your current equipment do its best work for you, it is important to recognize the key to the success of any security program is in an organization’s people. All the security in the world – whether physical or technical – will be ineffective if people inside the organization allow access by falling victim to phishing, social engineering, or other attacks.
How do we go about engaging and empowering our colleagues to create a culture of security within your organization? Education. Training. Simulations. Repeat!
Who needs this? Everyone.
Everyone? Yes, everyone. From the part-time temporary worker to the senior partner. Anyone who connects to your organization’s network or has physical access to your building/files/assets should be educated and trained on cybersecurity risks.
So everyone should come to one of my seminars, right? No, that’s not what we are talking about here. (Please do come though – I enjoy seeing you and talking with people!)
What works best is regular short trainings to keep information fresh in the mind, develop a mental version of muscle memory on security, and create a space where people are comfortable talking about cybersecurity and risks. (Remember fire and tornado drills in grade-school?)
Quarterly training is good, monthly training is better. If you are new to this, start quarterly to get your feet wet. And by short, we mean short! Aim for 15-30 minutes per quarter, or about 5-15 minutes per month. Reinforce topics with a brief reminder email or infographic in between for extra credit.
The best part - you do not need to develop these programs yourself. You certainly can conduct your own training program, but many organizations do not have the time to put those together. There are many options available out there – from free online videos to structured training platforms. Some common platforms (without recommending one over another) include KnowBe4, MediaPro, Ninjio, PhishingBox, Proofpoint, SecurityMentor, and Sophos to name just a few. Look around, ask for a demo or free trial, explore a variety of options to see what style and content best resonates with you! Most of these types of platforms end up being only a few dollars per month per user and they can track compliance for you.
Many of these platforms also include quizzes to go along with the training, interactive portions of the short vignettes, and even games. Also, many include simulated phishing attacks you can set to send to your employees using their common templates or by creating your own.
The great news here is that training helps! In Verizon’s 2019 Data Breach Investigations Report the results of consistent training showed the click rates on phishing emails were reduced from about 25% to less than 3%. Nearly a 90% reduction in risk from just an hour or two of training per year - spread out over a few minutes per month - is a great return on investment!
The most important part of creating a good culture of security is to create a safe space around reporting cyber risks and incidents. Fear of being ostracized or fired for hitting a cyber risk will not prevent the behavior. Rather, such fear will reduce the recognition and reporting of an incident - which makes a compromise much worse as timing is critical. Conversely, if people feel free to talk about risks and ask questions about suspicious emails or behaviors, it will create a stronger, more empowered, community within your organization where everyone works together to reduce risk. And if something does happen – let’s face it, we are all human and will make a mistake at some point – they will be able to recognize an issue and feel comfortable reporting it quickly, allowing the organization to respond and mitigate the damage and costs.
Your organization’s security is only as strong as your weakest human or technical link. And humans remain the most significant risk. Fortunately, we are trainable! With just a little bit of time spent every month or quarter – with repetition being the real key here – you can build a great culture of security and significantly reduce your organization’s risk.
This wraps up the basic cybersecurity tips aimed at things all users can do to reduce risk. Next month we will start reviewing some technical controls and security settings to help your current equipment do its best work for you!
About the Author
Patrick is the Vice President of Enterprise and Operational Risk Management at Lawyers Mutual as well as filling the roles of Corporate Secretary and Director of Information Security. He is an NCSB board certified specialist in Privacy & Information Security Law and has been designated a Fellow of Information Privacy and a Privacy Law Specialist by the IAPP. He is always happy to talk about his collection of tinfoil hats or to discuss risk management advice and resources that you may find helpful - you may reach him at 800.662.8843 or firstname.lastname@example.org.