When tackling security and awareness training, the first thing many businesses do is invest, often heavily, in the latest technology on the market. This is a reactionary and shallow response to a much deeper problem. Javvad Malik, lead security awareness advocate, KnowBe4, discusses the three key pillars on which a security culture can be built.
Tell people not to click a link, pat each other on the back, and ride off into the sunset.Â
If only security awareness training was that elementary. It would certainly help reduce the cost to businesses, which on averageOpens a new window , pay $5 million in damages because of phishing attacks.
Phishing prevention and security awareness, in general, extends further than the technology layer. It is more psychological, behavioral, and deeply rooted in how the organization’s security culture is pieced together. In fact, it can be broken down into three core elements:Â
Brand: How the security department is perceived.
Approach: How security awareness and training is delivered. Â
Culture: How the company is creating a strong security culture.
Each of these components is interlinked. If one component is weak or fails, the rest crumble – impacting the entire company. Therefore, the security department should lead the charge in bringing security awareness to the next level in order to prevent it from going stale.Â
Changing behaviors and creating a culture of security can only be achieved by adopting the right mindset and techniques. But the influence a security department has is determined by how it is perceived within the company.Â
Brand
It is well documented that perceptions of the security department depict an overly cautious group of individuals. While everyone else sees silver linings, security departments point out the threatening clouds within them. If they have a signature response, it’s: “no,†so much so that it has earned the security team the moniker “Department of No†and a barrier to progress.Â
Of course, caution is needed. When you’re dealing with personal or sensitive data, having a team point out the potential risks is a must. You need that team (or individual) to say no and help prepare for the worst-case scenarios, otherwise, chaos would ensue with data breaches and cyberattacks rife.Â
Therefore, the security department needs to convey and communicate in a way that showcases their necessity while offering alternative solutions to their “no’s†unless the risk is too great. Today, we know how valuable security is for every business, but that shouldn’t prevent the security department from being marketed in a way that promotes collaboration rather than as an entity to fight against.Â
Approach
When it comes to the staff and security department relationship, first impressions count, and every security team should try to make a conscious effort with the broader workforce to leave a positive mark.Â
With security awareness training and phishing prevention, don’t just bombard staff with a thick policy document and don’t let the first interaction be a slap on the wrist for clicking a malicious link or attachment.
Create a dialogue with employees and get people on board with why security awareness training is essential and the benefits. Sell it as a learning and educational piece. Otherwise, people will resent receiving the emails, which can have a counter-productive effect. Rather, look to build a positive relationship from the beginning so that people are willing to contact the security team in the event of an incident.
Security professionals need to think more like ‘marketers’ instead of ‘trainers’ to change employee behavior and use the art and craft of storytelling to spread a message. Ultimately, perceptions matter. If people feel like they are part of the team, they will perform better, so avoid alienating or reprimanding if mistakes are made. The workforce requires the same level of education, empathy and understanding as any other person would – remember, they aren’t the security experts, but they can be trained to think like them. Such a change can prove priceless in helping secure the organization.Â
The security department has gone through its own evolution. No longer is it disregarded and found in the back room or basement of the building. Much like how cybersecurity is viewed, it is front and center and an integral asset of any business. By conveying this message in a clear, collaborative and transparent way, engagement with staff can only be beneficial, and from here, the foundations of a strong security culture can be formed.
See More: How To Bolster Cybersecurity Practices for EmployeesOpens a new window
Culture
It may have been unfathomable to have culture and security associated with one another, but researchOpens a new window indicates the two are closely linked.Â
In the ever-increasing landscape of social engineering and the challenge that human factors bring to businesses today, top-level management must understand the risk and impact of security awareness, behaviors and culture.
We define security culture as: the ideas, customs and social behaviors that influence an organization’s security. This definition makes it clear that security culture is a combination of thought processes and knowledge, the habits that employees have adapted and the behaviors that are demonstrated when in the workplace. By workplace, we mean any such place where employees perform their work. Security is defined more broadly.Â
With this definition in mind, organizations should focus their efforts on a combination of employee engagement with assessments and training, improving processes and procedures and implementing technology that makes it easy for the employee to do the right thing.
From this point, security champions within your organization will begin to appear, and these individuals can be the role models for good behavior regarding security best practices. Highlight and reward their achievements, and you will quickly notice a change in culture. This is due to the bandwagon effect. In short, people are more inclined to alter their behaviors if they see other people acting that way.
Follow this up with positive reinforcement and engagement to make them feel part of the process. For example, ask them, “What do you think will make a good password?†or “Great spot in identifying that a phishing email, what gave it away to you?â€
Secure Together
By having staff care about security, you will have built a strong foundation whereby security values are woven through the fabric of the organization, and this can grow into something sustainable for the long term.Â
Thankfully, we are beginning to reach a stage where CISOs and security executives now commonly cite security culture as being a critical element of their security posture. With that said, there is still a long road ahead. Continue to invest in the necessary technology defenses for your business but ensure that your organization’s decision-makers are allocating resources to the most critical part of the security infrastructure: the human element.Â
How are you building a culture of security in your hybrid work environment? Tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to know!