Human beings have cognitive limitations. Knowledge is not inborn; humans must be taught. For example, if no one informed the public that smoking is unhealthy, no one would know. But once certain information becomes widespread, it seems obvious and more like common sense. Herein lies the challenge: What is common sense to one person might not be common sense to the next person. Consider someone who has worked at sea all his life. The things he considers common sense would probably not be common sense for people with little experience at sea. The same is true of cybersecurity. The framework offers practical guidance to effectively manage human risk.
- Promote good governance. Define a security awareness standard that includes the scope, objectives, and key performance indicators (KPIs) of the program.
- Garner support from senior leadership. Senior leaders must regularly stress the importance of cybersecurity. This can be accomplished via email, town hall meetings, or posters. Executive-level support is likely to facilitate cultural change within the enterprise.
- Segment staff based on risk. Board members and their assistants pose a different type of risk than those connected to the service desk. Segmenting users by risk allows messages (and their frequency) to be tailored to the user group. In addition, assessments can be tailored to simulate real and relevant risk.
- Establish a champion program. A cybersecurity champion program allows a group of users embedded in the enterprise to drive the security message. These users champion security from the front lines.
- Encourage users to report cyber incidents. The only thing worse than an employee making a mistake is an employee concealing a mistake. Creating an organizational culture that encourages people to report mistakes could be the difference between containing a cyber incident and not being able to.
- Tailor cybersecurity awareness by department. Human resources (HR) and payroll employees must be aware of impersonation attacks, such as changes in employees’ banking details for the direct deposit of paychecks, while the help desk must be aware of tactics to maliciously reset user passwords. For a cybersecurity awareness program to be effective, it must have a combination of general awareness content and tailored content specific to each department’s business processes.
- Use different mediums. People learn differently and possess varying levels of awareness and education. It is important to understand the audience, their level of cyber awareness, and their preferred learning methods, such as in-person sessions, online materials, or self-study. The awareness program must include various methods of delivering content.
- Incorporate stories into the program. Stories (i.e., anecdotes, documented examples) are easy to remember, and when used correctly can be a powerful component of a security awareness and culture strategy. Facts and statistics pale in comparison to a powerful story with relatable key points.
- Regularly test effectiveness. This testing is often accomplished with phishing simulations, but results should be interpreted with caution. Users should not be humiliated if they are caught falling for a phishing simulation. There should be a documented policy for dealing with repeat offenders (users who consistently fail phishing simulations). The policy must be fair, risk-based, communicated to all employees up front, and consistently enforced.
Network firewalls are effective only when they are configured correctly, running the latest firmware and, depending on the type of firewall, the latest signature files. In many ways, a human firewall is the same; it needs to be aware of the latest scams and social engineering techniques and know how to report them. Only when people are informed and empowered can they be an effective extension of the cybersecurity team.
Medically incapacitated and paying the price for never wanting to give up
2 个月Very helpful