Security Culture & Awareness
2019 has seen a shift in the direction and the requirements of many regulatory bodies and compliance frameworks. Moving away from the black and white, compliant or non-compliant box-ticking frameworks, organisations are now being asked to evaluate their security budget and controls with questions such as “Does the organization maintain and test controls that are commensurate with the size and threats to its information assets?” Now, the pessimist in me translates this as “is the organization doing enough to protect and test itself” but the optimist thinks “what more can we be doing to protect and test ourselves”. If possible, I’d like you to keep the latter at the front of your mind throughout the rest of this article...
Security Culture and Awareness Training often fall within this compliance box-ticking bracket. We’ve all been there. Completing the outdated mandatory training and having to “Read & Sign” the relevant Information Security Policies during on-boarding. And, if you’re lucky, you might get to review them when you reach your 1st year anniversary at the company. It does the job, and while I may love getting stuck into a juicy Clear Screen and Clear Desk policy document, I know this isn’t everyone’s cup of tea. So I have come up with some other ideas that I think would be worth a discussion.
Configuring and Patching your Human Firewall
It is now a rarity to see a day of media coverage go by without some form of a story relating to a cyber security incident, a breach or a negative press cycle involving our personal data online. For the few of us fortunate enough to be ‘in the know’, we can rationalize and create our own informed assessment as to whether the latest incident could have impacted us. For those who may not be as well informed, this can be overwhelming and compound the feelings of anxiety that are often associated with our personal and professional online activities.
With this in mind, the training and education of your people need to be regular, relevant and engaging. Shorter more frequent in-person sessions that include recent incidents, demonstrations and examples of repeatable positive behaviours coupled with interactive eLearning is likely to have a much greater impact. These are perfect for Lunch & Learn style sessions, providing a more informal setting for employees to discuss their concerns as well as refreshing immediate actions and reporting suspicious activity procedures. They can also give the IT/Security teams an insight into your internal threat landscape, often providing new investigation leads or the forum to discuss pain points due to changes in policy or technologies.
“Fail to Prepare, Prepare to Fail”
I could write an entire series of blogs recounting old military clichés and stories of how important planning, rehearsals and testing is to achieve success. I’m sure it’d be a lot more interesting, and rightly so. I am yet to see a more effective solution to achieving any objective. Simulations and Social Engineering testing is equivalent to Security Awareness. Providing your people with a safe, managed environment to test new skills and apply the knowledge obtained through your new and improved security education program. This is what will give you the data that you, your board and your regulators are so desperately craving. More importantly, if done well, it is going to give your people a dry run, or a sandbox to play in before being hit with a live incident. Individuals, departments or the entire organization can be graded based on their actions and risk ratings can be assigned. Feedback and additional training can then be provided to those in higher-risk roles. This is where the real value is. Identifying and focusing your limited resources on those that need it most.
Sustained and Targeted Security Awareness Campaign
The awareness campaign should be the glue that binds education and testing together. It should be sustained and coordinated at the strategic level, driven by senior leadership. This ensures the campaign maintains credibility, peaks at the appropriate time and does not conflict with any other educational initiatives. Based on previous incidents, sector and size the threats to each organization will be different, which is why an out of the box approach doesn’t really work. It must be tailored, specific and appropriate to the organisation's culture.
The campaign should also compliment the uplift in educational sessions and testing schedule. There’s a fine balance between providing your people with the tools and knowledge they need to help secure your organization and being the fun police. One of the best demonstrations I’ve seen of this is Facebook’s Hacktober initiative. An entire month (October – US National Cyber Security Awareness Month) comprising of physical and cyber simulations, workshops, inter-departmental contests and talks from subject matter experts. I understand not every company has the budget to replicate something as extravagant. But the theory should remain. Have an annual focal point be it a week, a day or an event and position it in the calendar on the run-up to the period when the risk to your organization is at its highest. For Financial Services this may be June in preparation for EOFY. For those in the retail, this may be November in preparation for Christmas trading. Whenever it is, make sure it's targeted.
Don’t be Generalist, be a Specialist
I am haunted by the phrase “we need generalists, not specialists” from my past life. I’m a big advocate of pursuing personal interests and giving your people the freedom to inject these into a professional capacity. It probably explains why I have spent my entire career avoiding such roles. Supporting people’s strengths works wonders in the creative industries. Security should be no different. Use the exposure from the increase in training and testing to your advantage. Identify those in your organization with a natural talent or interest in Cyber (they won’t be hard to find and I bet they’re not all in IT). Then start an organization-wide Security Awareness Working Group or a Security Champion initiative. It is a brilliant way of celebrating talent while providing effective communication and guidance for your employee base. Because it is entirely internal, you can invest as much, or as little time and resources as you see fit. Even if it is just a one-hour, quarterly meeting to discuss plans and updates it’s a good start point. In the military, this is referred to as “Train the Trainer”. Having a representative at the team or departmental level that understands the theory and is trained and empowered to escalate to the specialists when required is a game-changer. An increase in accurate incident reporting, increased participation in events and improved scores on simulations are just some of the benefits you are likely to see using initiatives such as this.
For too long the Security industry has relied on the charity of its specialists. How many times have you heard comments about a PenTester or a Dev that sound like “when she goes home, she spends her evenings researching the latest Zero-Day” or “have you seen this r/…… thread?”. Now, I’m not condoning that these extra-curricular activities be allowed during working hours (unless it is relevant). But it should be acknowledged. I’m sure your Sales, Legal and HR departments all have allocated budgets and support to attend the latest expos or to complete an industry-recognized certification. Security should too. This doesn’t mean that you have to send your entire PenTesting team to DEFCON every year like, Elad Shamir. But, providing your specialists with opportunities for additional training, networking and professional development is critical to a happy and effective Security team. Especially if it's proactive and driven from the top – down.
The Cyber Security skills shortage isn’t going to get any smaller if we’re content with generalism and rely on personal charity.
Battling the Board
As an organisation, you have a duty of care to protect your people, your assets and your reputation from all forms of risks, including information security. Boards should have this at the forefront of their minds. If they didn’t, then the regulators are now doing it for them. APRA CPS 234 devotes an entire section to Board Considerations and states in the third paragraph of its executive summary:
“The Board of an APRA-regulated entity is ultimately responsible for ensuring that the entity maintains its information security”.
I understand that this is focused on those APRA-regulated entities, but if your organization provides a service or is part of the supply chain supporting these entities, then you too will be expected to prove this as part of an RFP, renewal or annual attestation. If that is not enough justification to warrant an increase in spend and support, I do have a few other, more diplomatic ideas…
A Security Awareness program is not solely an IT or IT Security issue. There are many stakeholders, Facilities, HR, Legal, Procurement etc. This should be acknowledged when it comes to budget allocation and support. Security should absolutely drive the program, with the assistance of the other key business partners. If you don’t have a dedicated Security team or representative either train someone internally or seek external assistance.
90% of Cyber Attacks target humans or use humans as an avenue into an organisations digital or physical environment. That leaves approximately 10% for good old fashioned Network Attacks. Does your annual security spend reflect this? Probably not. Nor would I expect it to. There’s nothing better than the warm fuzzy feeling of installing two of the latest NGFW in High Availability mode with all the bells and whistles turned on. I wouldn’t want to take that away from anyone. But the statistics don’t lie and they must be taken into account in the business case for any Security Awareness program.
As you’ve probably gathered, I’m a people person. And a firm believer that people are an organization’s crown jewel. But we are, and always will be the weakest link in your environment. So, ask yourself, what MORE can you be doing as an organization to protect your most vulnerable, yet prized asset?
If you liked this article, you may also like:
Most dangerous types of phishing emails and scams in 2019
Author
Nick Forster
Security Architect