Blog Home Page Next article: The Equifax Hack – A Huge Deal
Cybersecurity Cultures Aren’t Built in a Day
Do your users look at every link in every email with suspicion – even if it appears to come from an internal email address? Do they look at each social media link as a potential danger to the well being of their friends and family? Or do they think it’s crazy they can’t share the latest “Find Gas Here” app with their co-workers?
Training a Culture of Cybersecurity
Initial and annually reoccurring training is requirements in most organizations, but how effective are they? Are we simply repeating the same training course, giving the generic test, stoically checking the same box year after year? If the talk around the water cooler consists of “Did you get your training done?” with advice on how to speed through and pass the test, then you’re in trouble. These are the same employees that right now have any number of ransomware-laden emails sitting in their inboxes just dying to be the recipient of one fateful click. Did you hear that? That ‘click’ is the sound of your system being compromised before your very eyes.
…employees…right now have any number of ransomware-laden emails sitting in their inboxes…
A culture of cybersecurity awareness does not just happen all by itself and is not built in a day. There is no magic training course you can put all your users through that will impart that instinctive questioning of every link in every email and social media post. In fact, many of these CBT programs achieve exactly the opposite of the goal. Rather, they foster a “Mandatory for Compliance” culture where finding the fastest and easiest way to complete the task at hand takes priority so you can get back to “what is important,” instead of learning the material. Trust me, I’ve been there!
We can’t avoid the regulatory requirements, but we can make sure that the annual training course is not the only time network security is mentioned all year.
Tips to Help Build Your Culture of Cybersecurity Awareness
Send out periodic security reminders (about every two weeks) based on latest news headlines. It works for the bad guys, make it work for you.
- Hurricane relief efforts (phishing attacks)
- The HBO Hack
- NotPetya cripples European FEDEX division (Wi-Fi Security or Patching)
Run regular training seminars with guest speakers and pizza.
Combine outsourced and internal social engineering assessments to reinforce training, test training, and identify new training objectives.
Add an incentive for outstanding performance with an email announcement to the organization.
- Amazon gift certificate
- ½ day Friday
- Free donuts and coffee
- Performance bonus
- Be sure that security top performers (individual or section) are identified and publicly rewarded
Get the C-Suite and IT Leadership involved and supporting the mission.
- CEO or COO can send out security reminder email once or twice a year
- Regular attendance of training seminars by leaders who can answer security questions and show support
Cybersecurity Cultures aren’t built in a day, but grow over time. When leadership from the top down engages their employees with consistent and interesting training programs along with rewards and recognition for performance, everyone begins to see the importance of their individual contribution to the wellbeing of the organization. From which workstation will your company’s final ‘click’ be heard?