Good news. Bad news. The bad news is that cyber security threats to businesses are increasing exponentially every day. But then, you already knew that. The good news is that the best defence against these ever-growing threats is already at work in your business – your staff. In 2019, 60% of the breaches that occurred due to human error.
But while businesses continue to invest millions of pounds and thousands of man-hours in deploying gadgets and trinkets to secure their organisations, little or nothing is invested in their best defence – people. And if they do, they implement a baseline programme but fail to measure and constantly improve (mature) it’s effectiveness so any initial benefit gradually fades and produces diminishing returns to the business.
What does a good security awareness programme look like?
A good information security awareness programme is the best defence but difficult to achieve. To be effective, messages must be simple, direct and repeated continuously in different guises and mediums and of course, resonate with the receivers. A one-time presentation or a static set of independent activities isn’t good enough. You’ve got to find a way to get the subject matter “in their heads” to influence the behaviour changes that deliver measurable results.
Where to start? Well, information security is dull. “Don’t share your password”; “Don’t open unknown attachments”; “Don’t leave your devices unattended”; “Don’t do this”; “Don’t do that”; “Blah, blah, blah…” Information security is usually presented to staff through a bland series of slides dictating authoritarian statements of forbidden activities announced by the I.T. Department. Unexplained, unjustified, techie-focused, work-related “computer stuff.” Who cares? What does this have to do with me?
The first objective is to design a programme that changes minds and hence changes behaviours. To do this you need to inspire people to care. To stimulate their thinking and get them generally interested in information security you need to make the subject matter personal giving them a motivation to care. How does this apply to your personal life – is an approach far more likely to get their attention than the – how does this apply to your professional life – or do it because we said so approach. Make it personal and they will listen to the message. Make it personal and you will make it effective.
Once effective, you must now concentrate on continuous improvement. Maturing the tone, tenor and content of the programme will result in increased awareness year upon year and improve the return on your investment.
What are maturity levels?
In general, there are 4 recognised levels of maturity for information security awareness programmes.
Level 1:
The curriculum is designed solely to meet audit requirements but does not engage staff or change behaviours. This level places your business at a high risk of sustaining a cyber-attack.
Level 2:
The programme meets compliance requirements and is creates awareness in staff to be security aware and identify threats. This level places your business at a low-medium risk level to sustain a cyber-attack.
Level 3:
Meets compliance requirements, creates security awareness to identify threats and is instilling cultural change in the business. This level places your business at a low-risk level to sustain a cyber-attack.
Level 4:
Does all the above and supports continuous improvement. This level places your business in a strong position to demonstrate resilience against cyber-attacks.
To benchmark your business’s current maturity level, take our Information Security Awareness Maturity Assessment.
How do you measure?
How do you quantify the extent and maturity level of security awareness? You measure it. At its inception and at least annually thereafter. If you can’t measure the effectiveness of the programme – you don’t have one. Measurement is the core principle of continuous improvement. But measure what exactly?
You need to establish key performance indicators (KPIs) in every aspect of the programme to measure and record the changes in your staff’s understanding and behaviour.
For instance, KPIs should be recorded before and after a workshop and the results of the knowledge tests following any computer-based-training session. Additionally, KPIs can be captured from responses to surveys and quizzes. These KPIs measure if staff understand information security issues and best practices.
But you need more. You need to measure the change in their actual day-to-day behaviour based on their new understanding of information security.
To obtain this measurement, you should consider conducting social engineering attacks against your staff. The responses to these attacks can also be documented as behavioural KPIs and are critical in determining if your staff now actual practices better information security. Using a variety of creative social engineering techniques, you can identify areas for content improvement.
The KPIs collected should be analysed annually to identify specific recommendations for any changes required in the following year to improve results. Essentially, you now have a roadmap for maturing the programme and increasing the security awareness culture in the business.