Cybersecurity is a combination of technology, people and organisation. People are essential in being able to cope with digital threats to organisations. Technology creates the conditions, the organisation makes the processes comprehensive and the people carry the responsibility. Making people aware of the importance of cybersecurity is crucial to the success of the organisation. Which steps should you take as an organisation to increase the security awareness within your organisation?
Step 1: What is the reason to increase security awareness within the organisation?
Before the process starts to increase security awareness within an organisation, it is important to know exactly the reason for doing so. The most effective way to achieve this is by interviewing the person responsible for the security policy within the organisation (usually the CISO). This gives insight into events that are the immediate causes for needing the organisation to become more security aware. Do changes in legislation or regulations play a role? Has the organisation been hacked in the past? Have other security breaches recently taken place?
This is also the time to evaluate previously taken measures and campaigns that have already been rolled out to influence employees. This way we find out which initiatives have been successful and whether they fit the intended target group.
Step 2: Perform a baseline measurement
A baseline measurement takes place before the start of the implementation of a security awareness program. Determining the status of knowledge, attitude and behavior with regard to security within the organization is indispensable. A baseline measurement is often carried out by means of a survey. This survey can be set out on an organization-wide basis or just with a select group of employees. During the survey, typical knowledge questions are discussed (Do you know what the password policy is? What can you save locally and what in the cloud?) And deviations from the desired attitude to the policy are mapped by asking what employees within the company ‘happen’. We also ask about the behavior of the person being interviewed (do you shut down your computer in the evening?). Based on the results of the survey, a statement can be made about the extent to which undesirable behavior occurs and we determine which of the three aforementioned topics (knowledge, attitude and behavior) are the focus. By repeating the survey at a later date, you can measure whether the goal has been achieved.
Step 3: Establish priorities
Determine together with the person in charge of the awareness trajectory which matters must first be dealt with. This prioritization takes place on the basis of the importance for the organization. In this context, the direct financial consequences of a possible incident can be examined. What is the impact of system failure due to a hack (What is the revenue loss of the organization if products cannot be delivered or what impact does a data breach have on the share price of the company?) But also, indirect costs (for example, reputational damage) or negative long-term effects (for example because laws and regulations are not complied with) play a role in making considerations.
Step 4: Create a tailor-made action plan
As stated before: technology creates conditions, the organization’s processes and people are responsible. Educating people is crucial for the success of the organization. An awareness trajectory focuses on transferring knowledge and / or changing the attitude and behavior of employees. In this phase, it is determined which means best suit the message that the organization wants to convey. The possibilities are very diverse. In some cases, organizing some workshops is sufficient to realize the intended change, but often more is needed, especially in knowledge-oriented processes. More and more use is made of online training courses. Involvement of the management of the organization is essential; training the middle management helps to spread the message within the organization. In order to allow employees to experience the consequences of security breaches and thus make a lasting impression, gamification is increasingly used. The use of mystery guests that expose vulnerabilities within the organization also provide extra attention to the subject and sometimes even a shock effect. In addition, employees and management can be informed in relatively little time by joining work meetings. Coffee cups, flyers, posters and articles in the organization’s newsletter ensure that the message remains constantly under the spotlight.
Step 5: Monitor & optimize
To ensure that people remain security aware within an organization, a regular ‘refresher’ is required. The message must always be brought to the attention of the employees, so that security awareness becomes part of the DNA of the organization. Regular measurements are necessary to determine whether the desired effect is (still) achieved. The security awareness program then focuses on new targets based on the outcomes of these checks (plan-do-check-act).
Tesorion has a lot of experience with the implementation of security awareness programs.