Cyber Security Cultural Change for SMEs
Mike Ouwerkerk
DON'T CLICK ON THAT! | Cyber Awareness & Culture | Live Training for Results
The war with cyber criminal scumbags wages on, and unfortunately the battle is still being lost by the good guys. Luckily we're yet to unleash our greatest arsenal in full. No, it's not AI, it's not tech, it's not process, it's people. People are the biggest target, and people therefore are the greatest asset if they know how to identify and respond to IT scams.
Now broadly speaking there are three simple levels of awareness maturity:
1) We've done nothing. Yeehah, pow pow shooting from the hip!
2) We've done awareness training. That's enough right?
3) We've done awareness training, and we strive to embed awareness into the corporate culture so it's always front of mind for staff. #kickinggoals
Make no mistake - achieving number 3 is where the battle is won! You did awareness training? Great, now what? How do you keep information current, how do you keep people thinking about IT security daily, and constantly making good decisions?
And for SMEs with (typically) no defined IT security budget and limited staff, how can this be achieved? Here are some pointers:
- Organise for a tattooist to come onsite for a day and tattoo "IT Security is Everyone's Responsibility" onto the foreheads of all staff. Or just pick a slogan, and maybe put up a poster or two here and there. Difficulty factor = Low.
- Assign someone to the role of "Cyber Champion", or whatever you want to call it. "Chief Scam Hunter" works well too. Ensure they are interested in IT stuff, and have time formally allocated for the responsibilities. Difficulty factor = Low.
- Once a week they could stand up at a staff meeting, and share an IT security tip or issue. Difficulty factor = Low.
- Share email attacks (images only), what was learnt, how to improve. Perhaps the company is being targeted so all staff can be informed. Don't forward the scam emails with dodgy links or attachments. If you do that, you are not the right person for this role! Difficulty factor = Low.
- Be the "go to" person for when someone is suspicious and doesn't know how to act. Be approachable and super nice! Difficulty factor = Low.
- Own and manage policy development around IT security. e.g. "Use of IT Systems", "Bring Your Own Device", DR / BCP etc. Difficulty factor = Hard, but engage IT support if you can.
- Always be encouraging and nurturing, and if people aren't acting correctly, give them additional support / training. Run a few competitions regularly for people who are kicking IT security goals. Maybe they get movie tickets, not very expensive. Difficulty factor = Low.
- Build up a list of content around IT security to use as your knowledge base. That can be used to distribute snippets to staff reguarly. If you had cyber security awareness training, use what you learned from that. You did learn something right? Difficulty factor = Medium.
- Follow people / groups / companies on LinkedIn. e.g. The Cyber Security Hub, or use the SANS Security Awareness resources. There are countless goldmines of up to date information out there to use. Difficulty factor = Low.
Corporate culture will be the greatest challenge companies will face in the battle against IT crime, and simple things like this make all the difference!
Got any other easy things to add to the list?
Reach out if you need to fast-track high-value quick-wins across the full spectrum of IT Governance, Risk and Compliance (GRC) to align IT with business goals.
5 年Thanks for this post ?? Mike Ouwerkerk Cyber security cultural change for SMEs. Good advice for SMEs and corporates..Here are my takeaways: Strive for “rating 3):We've done awareness training, and we strive to embed awareness into the corporate culture so it's always front of mind for staff.” Here are Mike’s nine pointers: Difficulty factor = Low: 1. "IT Security is Everyone's Responsibility" poster. 2. Assign someone to the role of "Cyber Champion" 3. Once a week ... at a staff meeting ... share an IT security tip or issue. 4. Share email attacks (images only), what was learnt, how to improve. 5. Be the "go to" person for when someone is suspicious and doesn't know how to act. 6. Run a few competitions regularly for people who are kicking IT security goals. 7. Follow people / groups / companies on LinkedIn. <I do like this one> Difficulty factor = Medium. 8. Build up a list of content around IT security to use as your knowledge base. Difficulty factor = Hard 9. Own and manage policy development around IT security. Corporate culture will be the greatest challenge companies will face in the battle against IT crime, and simple things like this make all the difference!” #kickinggoals #cyber #cybersecurity
Information Security GRC Specialist
5 年Good article. A couple of other suggestions: - have the organisation pay for the security champion's membership to the Australian Information Security Association, at least for the first year. Attending meetings can provide good educational and networking opportunities. - consider becoming an organisational member of AusCERT. So important to have an experienced and caring team in your corner when an incident happens. - sign up to free information sources like Stay Smart Online and Scam Watch. - listen to some cyber security podcasts, at least Risky Business, which has a great infosec current affairs segment opening the show each week.
Australian Best-Selling Author of A Hacker I Am, Foresight Book Series, Co-Author The Shadow World Series | Head Unicorn - Cyber Unicorns | AISA Member Board of Directors | Security Journalist | Cyber keynote Speaker.
5 年Good article Mike?and I am with you all the way except maybe the tattooing on everyone's forehead. Maybe it should be on everyone's forearm instead as that way they will regularly see it as well as all the other staff. Makes it more of a win win really. ?? Seriously though Mike?is right here, we need to give the human defense it's time it deserves to enable us to win the cyber war, those new blinky lights arent going to do everything for us we need to get in the battle ourselves and help all of us humans be more secure.