"We visit sites and try to raise their security awareness”
This quote is from the book “The Cuckoo's Egg” by Clifford Stoll, which was published in 1989 (an InfoSec must-read). For as long as there have been computing devices, particularly those that are networked, people have been aware of security, and this is the earliest reference I remember seeing to security awareness as a process in its own right (there will, I’m sure, be older references).
My point is that security awareness, or rather the need to promote it, is nothing new. In a recent survey by the UK Government, one third of respondents that had experienced a data breach thought that lack of staff security awareness was a contributing factor.
It’s surprising then that far too often organisations are not doing more to raise awareness, but why is this? Let’s take a look at a few of the challenges.
Justifying the time, resources and budget required to run an effective security awareness programme can be difficult. When it comes to more tangible and traditional purchases (a new server or firewall, for example), we’re more than comfortable performing cost/benefit analysis and calculating our return on investment (ROI). It’s generally quite easy to articulate to management the exact costs, why we need the budget and what will happen without it.
Applying the same approach to user awareness isn’t so straight forward. If an effective business case is to be built, a different mind-set is required. For example, trying to calculate ROI can be difficult, especially if your organisation has never experienced an incident that was directly attributed to lack of security awareness. With no obvious tangible gains, we must turn to the intangible. These will typically include a more engaged workforce, improved communication between InfoSec and the business, and of course, higher levels of awareness. Ultimately, this means that your business is more likely to detect and respond to a potential threat more efficiently.
Too often our employees are overwhelmed by policies and procedures, guidelines and rules, ‘dos and don’ts’. The end result can be a catastrophic lack of understanding, and general apathy towards InfoSec. A 2015 UK government survey found that 72% of organisations who felt their policies were poorly understood, experienced staff related breaches.
A formalised InfoSec awareness programme is a platform we can use to fix some of this, help them to understand the aim of these policies, and provide an opportunity to question and contribute their own views and experiences. It can also be really good PR for the InfoSec arm of your organisation, especially if your training includes advice they can take away and apply to their personal digital world.
Of course, if your organisation has a regulatory reason to be running InfoSec awareness activities then getting resources and funding shouldn’t be as difficult. Be cautious though, as there’s a difference between obtaining funding and obtaining buy-in from management. For your awareness message to be heard, it must be supported from the top down, and seen as a valuable process rather than just another tick in a box. Of course, you must meet your compliance obligations (for example PCI DSS), but going above-and-beyond helps to ensure maximum value.
Another challenging aspect of awareness training is creating the content itself. You first have to consider the target audience, which in most organisations will be wide and varied. A good awareness programme will deliver value to everybody that attends it, regardless of their technical capability. Finding that balance can be difficult, and all too often training can become overly technical, failing to address our central goal of raising awareness and changing habits.
It’s also crucial that awareness training content evolves over time. It must stay relevant and include references and examples that people are familiar with. Pushing out the same training every twelve months is simply not enough on its own, if we’re to maximise the usefulness of this process. Updating your awareness content is also crucial if you’re to stay au fait with industry and regulatory developments. PCI DSS, for example, recently (as of July 1st 2015) made it a requirement for point of sale (POS) devices to be protected against physical tampering. This means, amongst other things, that the awareness programme would need to be updated to ensure your staff are educated about how to detect and report suspected tampering or substitution of these devices.
It takes quite a specific skillset to deliver effective awareness training, and to be able to engage with the audience and field questions. The trainer must of course be comfortable speaking to a group, and have the ability to maintain a good pace and the attention of the room. But a second skill, equally if not more important, is being able to articulate very technical and complex ideas, problems and solutions in a way that the audience will understand. The trainer must also be realistic, honest and practical in their approach. Any advice given must be simple and accurate - I’ve witnessed a trainer undermine everything they’ve said simply by giving unrealistic advice and becoming defensive when questioned.
The elephant in the room
There’s no avoiding this problem, and it’s one I’ve seen more times than I care to mention. In the course of your InfoSec training programme, and in the good practices and advice you issue, you will almost inevitably encounter areas where your organisation is lacking. The challenge here is that management or trainers may shy away from these areas, omitting them from training to avoid confronting them.
For example, you may instruct your employees never to share passwords, only to find out that your IT helpdesk regularly requests them for support tasks. Or maybe you’ll explain the risks of web browser certificate errors, whilst simultaneously instructing users to ignore them on internal websites.
Instead of avoiding these issues, consequently failing to raise awareness of them, tackle them head on. Seize the opportunity to improve wherever possible, and when not possible to do so, be open and honest with your audience.
Putting together an InfoSec training programme is undoubtedly a challenging task, but there are some key elements that if addressed, will help to deliver real value to your organisation. With security incidents increasingly being attributed to human factors such as social engineering and human error, any organisation that fails to educate their employees is failing to secure their business.
To contact Nettitude’s editor, please email firstname.lastname@example.org