Security Awareness - On a mission from God

I have taken the ability to exercise for granted for all of my adult life. I have been fortunate enough to race and compete in a variety of events, most recently the Marathon des Sables from which I emerged without even a blister. You can imagine the shame of suffering my first knee injury following a ‘social event’ earlier this year. Oh the humiliation!

(Hang in there, there is a relevant segue in all of this)

Confined to static training for 6 months I was recently able to increase exercise to brisk walks. One such walk took me through Hyde Park in London where, at speakers’ corner a young man was talking to a gathered crowd. As I approached I could hear him talking about ‘strength in numbers’, ‘unified thought’, ‘creating an awareness culture’, ‘resisting an attack’.

I could be forgiven for thinking he was talking about creating a security aware culture and securing people, assets and reputation. Was this a security awareness evangelist taking his message to the masses?

I believe he then quoted Ecclesiates 4:9 (Tev);

“Two are better off than one, because together they can work more effectively. If one of them falls down, the other can help him up.... Two people can resist an attack that would defeat one person alone. A rope made of three cords is hard to break.”

I then understood that his was a message from God.

As I continued my walk it did get me thinking that there is something in that message that resonates with much of what I have ‘evangelised’ over my career; that security awareness is the cornerstone of any converged security strategy, about resisting an attack, don’t be the weakest link.

As we know, investment in gates, guards, systems and cyber defense, whilst vital, can be undone by one uniformed employee. One click on a phishing email, holding open the door to a non-badged stranger or having a weak password can bypass much of the operational and capital expenditure into defending the organisation.

As I state, I have made security awareness a key part in successive strategies in the companies I have worked in. I believe in educating and informing employees to ensure they understand their collective responsibility in securing the business. I relate this to the work environment as well as activity on-line (at home) outside of the office. Let’s face it, if you can create good habits at home, your employees are likely to bring them to the office.

(All that said, I have had a thorn in my side for many years with one protagonist who simply fails to be educated. One who, despite hours of one-to-one security awareness training, is still the western hemispheres largest one-person botnet. My mother. She is case and point that despite investing in technology to secure her on-line presence – she repeatedly clicks or forwards ‘that email’. Bless her. She is work in progress.)

Back to the office.

With the increase in workplace tools and increasing mobility in our work forces, it can be harder for our employees to spot the risks. A recent study by Verizon sought to discover how breaches occur and found almost one-third involve phishing attacks; 52% entail hacking, and 28% center around malware. Additionally, 39% of data breaches are perpetrated by organised crime

With the increased threat comes increased cost. The IBM 2018 Cost of a Data Breach Study was based on interviews with more than 2,200 professionals from almost 500 companies across the globe. All companies represented had experienced a data breach within the 12 months prior. Of all breaches examined in the study, the average cost of a breach was $3.86 million, up 6.5% from the previous year. This cost includes things like lost business, notification costs, and other damages. Interestingly enough, more than quarter of the breaches are down to human error (27%). Ouch.

I’m not a believer in rigid security policies as a standalone tool. I don’t want to inhibit the creative environment in which much of our respective companies success is generated. Users will always find a way around the system or process; balance is key with regard to creating a security aware culture. It starts with strong leadership of the security function and empowering employees from the top down with information that helps them make informed, aware, risk based decisions. It’s about aligning your security strategy with the business objectives and enabling employees with a wider appreciation of how security aligns to their role and enables / facilitates growth and success.

There is plenty of information and lessons learned with regard to building a successful security culture. We love lists... and listed below are my top six tips for success.

It always starts at the top

From the leadership down, the security culture must be lived and breathed by all. Embraced, practiced and endorsed from the Board, the CEO all the way through to the mail room – it is a case of ‘monkey see monkey do’, If your leadership take security seriously, the rest of the workforce is more likely to follow suit.

Create the framework

Whilst I clearly state that policies, procedures and standards are circumvented and cumbersome, they remain relevant to laying the foundations for best practice. In creating short, clearly defined and ‘edible’ policies, you are committing to the company DNA the risk appetite and standards by which risk will be managed, how employees must behave and how they will be held to account for failure to do so. Remember – brevity with the policy framework is key. (this article could do with some of that brevity - right?!!)

Paint the picture – context is key

Make your message relevant to the organisation, the business strategy and operating model. Don’t focus on the obvious ‘big ticket risks’, rather look at changing small everyday behaviours within the day-to-day activity of employees.

Your company needs you!

It’s simply not just the responsibility of the security function to manage / mitigate security. Educate and enable your employees to be the eyes and ears of the organisation. Create a culture of ‘it’s OK to say’. Enable them with tools to engage with security, to contribute to security of the business – to report in. Create ‘security advocates’ within business teams who are closer to the decisions made by the business.

It’s not a one-time event

Security awareness needs a constant drumbeat throughout the year to ensure it remains in the employee conscious. A one off e-learning event is simply not good enough – it’s not a cultural builder. Seek to use creative, relevant and frequent engagement utilising multiple means to engage and stimulate thought among your employees; newsletters, intra-net infomercials, awareness events, competitions, guest speakers and more. Create a rewards based culture to recognise a ‘job well done’.

Security mindfulness

Employees should feel empowered after receiving the training and the knowledge to help play their part in preventing a security breach. A security culture is a state of mind, and if done correctly, can become part of the way of life at an organization, sitting alongside the general day-to-day business. Becoming security mindful will make the act of security normalized.

In summary, the goal is not to teach tricks but to create a new culture that is accepted and understood by everyone. In order to accomplish that aim, messages need to be designed and delivered according to each type of employee. There is no such thing as a one-size-fits-all security awareness campaign.

 To conclude the ‘mission from God’ message;

 Elwood: There’s 106 miles to Chicago, we’ve got a full tank of gas, half a pack of cigarettes, its dark out, and we’re wearing sunglasses.

 Joliet Jake: Hit it!

 For the CSO / CISO it would read:

 HR: ‘We’ve 16,000 security unaware employees, half the budget we expected, we’ve a major technology swap-out underway and my training manager has just resigned’

 CSO / CISO: We’ve got this. We’ve always got a plan. Hit it!

What tips and tools do you use to create a security aware culture. Your views are very much welcomed.

#morebrevityrequiredinthisarticle #Bluesbrothers #lovechicago