How to run a security awareness programme
By Ron Condon, managing editor, IT Security Guru
If anything is guaranteed to strike doom and gloom into the hearts of security people, it’s the prospect of starting a new security awareness programme.
Admit it, we all love choosing and installing new (often expensive) bits of kit, and getting excited about new technology. But when it comes to explaining the dangers of phishing attacks to Mavis in accounts….well, it just doesn’t have same kind of magic, does it?
The trouble is, though, if Mavis doesn’t know about the dangers of phishing emails, her ignorance could scupper all your efforts on the technology front. By clicking on the wrong link, or by giving away her user credentials, she just might open up your systems to the wrong kind of people.
So admit this too, security awareness is vital, and proper security awareness programmes can be the best investment you ever make.
But how do we make security awareness programmes effective? How do we plant the messages in users’ minds, and then ensure they stay alert?
IT Security Guru recently gathered together a group of seasoned security professionals to see what ideas they could come up with, and they did not disappoint. And what they all agreed on was that awareness programmes – especially the good ones – are worth every penny spent on them.
In the words of Stephen Bonner, a partner at KPMG: “Security awareness programmes are the least invested in, but also the most effective [security activities]. And while doing it well is cheap, doing it badly can be really expensive.”
Vicki Gavin, Head of Business Continuity and Information Security for the Economist Group, echoed that view: “We need to work to develop a ‘human firewall’ of people who prioritise security and understand what can happen when security fails.”
And paradoxically, the need for security-savvy users becomes even more important as the technology gets more effective in beating off attackers. “When the technology gets hard to crack, the hackers go for Layer 8 (ie users),” said Thom Langford, CISO at Sapient.
Get the board on your side
The group agreed that any programme needs not only the buy-in of the board, but also a strong sense of engagement too. In other words, the board should not only approve the funding but also show a sense of leadership in the organisation to show their support.
That can be easier said than done, and it can be hard to maintain the interest of board members over a period of time. “To keep the board interested, you need to show the programme worked, and show results,” said Gavin. “Talk about risk reduction, even mention near misses.”
Other suggestions included measuring the number of laptop thefts (which should go down as awareness grows), and also measuring the cost of the programme in terms of money per user – which should show what a bargain it really is.
Build a security culture
The whole aim of any awareness programme is to build a culture among users that ensures they can recognise the signs of anything unusual going on – from the dodgy phishing email to a colleague behaving recklessly or strangely. “People should at least know who to ask or to report to if they think something funny or wrong is taking place,” said Shan Lee, head of information security for Just Eat.
Awareness, however, is not enough. As Stephen Bonner explained, as motorists we are all aware of speed limits, but few of us would claim never to have exceeded a speed limit. Awareness is not the same as compliance. So any user programme needs not only to create a general awareness of the issues at stake, but also needs to change behaviour in a fundamental way.
To do that, the security departments must commit to a continuing and unrelenting campaign to keep the message fresh in people’s minds. The old approach – getting new employees to sign a form saying they have read the security policy – no longer cuts the mustard.
The campaign needs to work on a variety of levels. For instance, bribing people with a Learn and Lunch event can boost attendance and provide a platform for getting across a security message.
Also exploit the skills of other departments. For example, your communications departments or email marketing people will have plenty of ideas, and will be able to package messages effectively to gain attention. Get a regular slot in the company newsletter.
It is also essential to tailor the message to the audience. In some cases, it may help to pitch the message in terms of protecting users’ home PCs and their families. By explaining how security measures can help their family members, it is then a short step to applying the same principles to the work environment.
All the experts agreed on the need to overcome the preconception that security is “boring.” Any presentation to users obviously needs to be interesting, but achieving that requires some planning.
For instance, according to Thom Langford, “CBT (computer-based training) is of no value, except to get the conversation started.” Users, he said, react better to live sessions with plenty of variety and usually with a single simple message.
All agreed that a little humour can help things along, although “don’t let the humour obscure the message”, said Shan Lee. Also vary the pace and the delivery mechanism to maintain interest, and keep to a simple single theme that can be repeated in different ways to drive the message home.
Finally, reward people for coming on the training sessions and acting on the lessons. The rewards should be a small token – such as a chocolate placed on a clear desk at night, or a small prize for spotting a phishing email. Stephen Bonner recalled one programme where successful attendees were given little cardboard badges to stick on their monitors: “Everyone wanted one, it was amazing.”
Measuring effectiveness
The group of experts came up with a range of tips for measuring the effectiveness of an awareness programme.
Shan Lee conducts regular spoof phishing attacks in order to measure how well users react to them. Following a targeted awareness programme, he would expect to see a reduction in people responding to such messages – and of course, users who do the right thing can be rewarded in a small way. “We tell them that if they catch us there’ll be prizes, and if you catch someone else (a real hacker), you’ll be a hero,” he said.
He also told of sending a stranger into the offices without a security badge, who then continued to wander around unchallenged for quite a while. However, following a programme to raise awareness, the experiment was tried again, and the stranger was challenged almost immediately.
Tips for successful awareness sessions
* Focus on a single message.
* Vary pace and delivery mechanism
* Use humour, but not too much
* Make it active, use a bit of theatre to keep interest
* make it relevant to the audience
* Give the security programme a clear identity and brand all presentations/ communications
The panel of experts were speaking at the IT Security Guru CISO Debate, which took place in June.