KnowBe4’s Chief Evangelist and Security Officer, Perry Carpenter, discusses how to protect your organization’s data from an often-overlooked risk.
Organizations set up all sorts of technology-driven safeguards to help them protect their own and their customers’ data. These investments are often well worth it, but they’re not enough. Technology safeguards don’t address one critical risk that every organization, regardless of size or industry, has: its people.
Let’s take a look at seven considerations for launching a security awareness program that accounts for the important “people component” of security awareness.
1. A Process, Not an Event
Most companies take time at least once a year to provide employees with training about how they can help protect the organization’s data. They pack people into a room and talk about security for a couple of hours and then check a box to indicate to the compliance office that they did it. And then they move on to the next thing.
Unfortunately, that’s not enough.
An annual in-service, a required webinar or even a great Cybersecurity Awareness Month series of events is not a security awareness training program. So, what is? A strategically considered combination of actions and activities based not just on information and policies, but on behavior.
2. A Focus on Changing Behavior
Security awareness is not information only. It’s information and behavior.
There will always be an information component to any security awareness program. If you’re a regulated organization, or you’ve got policies you need to expose people to, or if you need to expose people to the fundamentals of a scam or some critical nugget of information, there will be information that needs to be delivered.
But that’s really just a starting point.
An effective security awareness program will focus on changing behaviors. Testing is one way of doing this. For instance, running a phishing simulation that prompts the user to either click a link, report the phish, or do nothing and ignore the phish bait.
Here’s the thing: People need to be put in situations where they will have to make a decision that will determine if the organization gets breached or not. They need to be able to fail safely.
Simulations such as these are proven to help to change behavior over time. Frequent simulated phishing tests help build reflexes and muscle memory that drive behavior in automatic ways until those behaviors become habits.
At least every 30 days, you need to put employees in a simulated social engineering type of test, like a phishing test, to bring mindfulness to security protection actions.
3. Use Quality Communication Materials
What do the security awareness communication materials in your organization look like? If you’re like many organizations, they’re old documents that have been copied and recopied until the text is blurry and even members of the IT department don’t want to read them.
Security leaders will do themselves and their organizations a favor by committing to produce quality communication materials. Anything you put out in front of employees has to be as good as – or better than – what the organization typically produces. Otherwise, security will be seen as “less than” —an afterthought.
Take the importance of quality communication materials to heart. If you cut corners, if you strive for “good enough,” if you just quickly get stuff out there to say you did it, you create a bad reputation for security awareness and – by extension – your team.
4. Different Strokes for Different Folks
The problem is that different people process information differently. For instance, each of us browse through Netflix and gravitate toward certain types of content that matches our entertainment preferences. And as employees, we approach the information around us in the same way.
Different types of content, different styles, different lengths of time and a whole host of other considerations each resonate with employees differently. There is no one-size-fits-all piece of content. Relevant engagement is ongoing and individualized.
This can be accomplished through self-service learning options where employees can access the information and education they need, when they need it. Options can range from “Ask Me Anything” resources, entertaining webisodes and short webinars to policy collections and any number of other resources that are always available, easy to access and easy to consume.
Because there is no one-size-fits-all piece of content or approach, you also need to consider the learner’s role. Your customer service staff need different information than your IT staff in terms of security awareness. Training should be based on role and individual needs, not whatever training material is most conveniently at hand. People may have entirely different learning styles; some people respond better to three- or five-minute funny videos, others — executive-level staff, for instance — may find comic material condescending.
5. Focus on Moments of Need
Information should be delivered as close to the time of need as possible. The first need for security awareness happens when a new employee joins the organization. There are a wide range of other moments of need, depending on the employee’s role and function and the people they interact with. Other moments of need may include setting up a new password, sending a secure file transfer, learning the appropriate use of certain systems, etc.
What opportunities does your organization have to deliver just-in-time learning based on moments of need?
6. Multichannel Marketing Campaigns
How do companies communicate with their audience? Through multichannel marketing campaigns that use specific messaging for specific audience segments delivered through a wide range of channels to ensure awareness and repetition and, ultimately, to generate some type of action.
Your security awareness efforts should follow the same strategy.
You should have different types of content, being delivered at different times, targeting different audiences and communicated through various channels.
At the end of the day, you’re trying to change hearts and minds. That takes time and repetition.
7. Metrics, Reporting and Pulse Checks
To be effective at anything, we need metrics. Security awareness is no exception. We need to know where we are, how we’re doing and whether we’re closing security gaps.
There is also a need for surveys and assessments to know how well your content and training is resonating with people.
Think of these assessments as providing periodic pulse checks to help you understand some subtle nuances of what kind of culture you have within your organization.
Pulse checks help determine where the organization is at a given point in time. This information is subtly different than metrics because it gets into things that are harder to quantify, like opinion, frame of mind or preferences.
What Makes KnowB4 Unique for Security Awareness Training
Established in 2010, KnowBe4 is the world’s most popular security awareness training and stimulated phishing platform, servicing more than 35,000 organizations and some 25 million users. We use AI and machine learning to help systems get smarter by better understanding the nuances of how different people learn. Pluggable integration with traditional security tools is offered to provide behavioral insights. Customer-generated, real-world phishing examples are folded into our simulation platform. Communications are adapted based on the ways individual employees behave, the types of risks they can expose the organization to and the inherent risks that relate to their role in the organization.