October is Cyber Security Awareness Month, an annual initiative which started in 2004 to remind businesses and individuals of cyber security risks. Security agencies around the world are promoting awareness with information and events. The EU agency, ENISA is highlighting the challenge of combating phishing with their #ThinkB4UClick campaign. The UK Cyber Security Council has links to recent articles on Cyber Security Awareness and the US National Cybersecurity Alliance are using the #BeCyberSmart tag for everyone to post and access safety tips and reminders via social media.
Whilst it is important to put the spotlight on cyber security challenges and awareness annually, we do need to be vigilant all year round. Over the last year we have seen the number of phishing attacks grow and become increasingly sophisticated and personalised to users based on their roles in companies and organisations. This is making it even harder for users to identify potentially malicious emails, SMS and social media messages.
Phishing is not the only aspect to cyber security that needs to be addressed as part of a cyber security awareness programme, but with employees being at the forefront of any phishing attempt, it is the most crucial aspect to address. Employees are still the last line of defence and, with more and more time spent outside of the office, employees are also in a precarious position without colleagues by their side to check and validate whether an email is authentic or not.
Businesses are now placing cyber security as one of their highest risks and challenges, and leaders are looking to encourage good security behaviour throughout their organisations from the top down. What many companies are realising is that they need to establish a cultural change and proactive approach to addressing cyber security throughout the workforce via effective education and awareness. Such programmes are fundamental to company risk management.
It has often fallen to IT managers and IT departments to roll out awareness training. Whilst IT have security covered from a technical perspective, and can provide technical support, they don’t always have the time or skillset required to plan and deliver effective employee training over the long term. Keeping up to date with security threats and intelligence is also a challenge when you are an IT manager running IT in a small or medium-sized company. Providing a successful cyber security awareness training programme requires time and commitment from all parts of the organisation. Recent academic research1 has shown that the most successful approach to protecting against phishing is preventative technical countermeasures running alongside well-designed continuous cyber security training and education, which needs to be fully embedded in the organisation for the most positive results.
So, what do you need to do to build a successful cyber security education and awareness programme, and how can you ensure that everyone is on-board and it becomes part of the everyday company culture? Here are some recommendations from our experience:
School of Phish
You’re 100% covered with a fully managed anti-phishing service
Building a complete cyber security awareness programme and embracing it as part of the organisational culture
Encourage executive sponsorship to support the business objectives, whilst offering employee recognition for demonstrated behaviour. It is crucial to communicate the importance of cyber security awareness and behaviour to the workforce by promoting the programme with an executive top-down approach, and champion ownership across all areas of the business (not just IT). All staff across the organisation need to buy-in for it to be successful.
Cyber security awareness and training is not going to succeed if it is a “one off”. Deliver regular cyber security awareness training to everyone in the organisation, whatever their role. This can be done through engaging and digestible video content on relevant threats and best practices to all employees. Tailor training and awareness to staff depending on their role. For example, if videos don’t work for time-strapped executives, consider micro-learning, and think about tailoring sessions for specific departments and functions, that might be more at risk, such as finance or accounts payable, for example.
Keep the campaign visible and include reminders of the threats and the importance to be vigilant in the everyday workspaces. This can be done with impactful posters, newsletters, and screen savers that are refreshed regularly.
Make sure all potential phishing threats are reported by empowering users to feel confident in spotting them and offer second opinion reassurance when reporting emails that they think might be malicious. This can be done by providing a simple email plug-in facility for all employees to report malicious email threats to the IT team, which is linked to the reward scheme.
Encourage your workforce to care about cyber security by developing a change in behaviour and mindset through rewarding any potential threat spotted. Staff can be inspired to care about protecting the organisation through recognition and reward schemes.
A cyber security awareness programme should be measurable and show improvements in awareness and the effectiveness. Start by conducting a phishing simulation with relevant content and threats, to measure the current awareness state and create a benchmark for improvement. It is important to keep executives and other stakeholders on board by producing regular progress reports.
Implementing a cyber security awareness programme, that is embedded in the culture in this way, can improve commitment to information security across the organisation, while improving staff morale and confidence, and reducing exposure and risk for the organisation as a whole.
Typically IT departments are tasked with implementing and managing employee cyber awareness programmes. Tools and platforms for delivering cyber awareness training content and simulations are available on the market, but IT departments frequently do not have the resources or knowledge to effectively deliver the ongoing training and cultural organisation change that is required. The managed service provided by School of Phish comes into its own in these circumstances, by putting the responsibility into the hands of specialist cyber security and training experts, with the experience and focus to deliver real results.
Read more about School of Phish’s services here or contact us to discover more about the School of Phish approach.
1. Research done by University of Sussex Business School and the University of Auckland http://www.sussex.ac.uk/broadcast/read/53768