With all the security breaches in 2014, no organization can have failed to realize that cyber risk is now part of ongoing organizational risk. Information security is considered right at the top with disaster recovery and business continuity.
And every organization struggles with ensuring their staff and employees don’t introduce additional security risk on top of all the external security risk. Yet many companies only provide employees with annual, often repetitive, security training on passwords, tailgating, phishing and maybe compliance. We “go through the motions” and treat information security training as a “checkbox”
It is typically a practice rooted in outdated learning modalities, and this is not the best way to raise the security DNA of organizations as a whole. Just going through the motions in a classroom or online training session isn’t going to change employee attitudes and behavior.
Here are some cyber awareness programs that have been put into practice and generate measurable benefits without over-burdening the organization.
1. Obtain an executive sponsor to champion internal cyber security
2. Create an ongoing program that invites everyone in the company to be a mini-cyber security observer
3. Use your existing security tools or freely available tools to provide ongoing relevant feedback on a continuous basis
Sounds simple, right? Well, the key is in execution. Here’s how we do it at Websense:
Naturally, we have new hire security training and annual security training. Most 21st century companies invest in at least this level of security awareness.
But then we go further: we deputize every employee and provide a mechanism for them to identify security risks and issues though a program called Catch of the Day (CotD). Through CotD any employee can submit any security issue to our email list –physical, IT, spam, phishing, etc. It’s a way to have everyone start to think about security on a regular basis and find problems we need to resolve as an organization.
Here’s a more detailed list:
- Physical security such as unlooked doors, suspicious individuals, tailgaters, discarded badges
- Under credentialed IT assets – such as Sharepoint, routers and servers
- Internet risks – corporate assets in the wild
- Cyber security issues – Spam, Phishing, phone scams, etc.
The CotD submissions are reviewed by security ops and the CISO team on a regular basis.
Once a quarter, at the all hands company meeting – a CotD winner is presented a cash award by our CEO. Our CEO is also our executive sponsor.
One piece of advice: look to your current security solutions and freely available solutions to educate and empower users. At Websense we use our own email security gateway which wraps embedded URLs and sends them to the cloud for analysis. With this technology, users can be educated by returning an educational URL wrap such that if a user clicks on a link that is suspicious or malicious they get a warning web page, not the malicious content. That way, it’s preventing damage to our organization, as well as educating users.
