Solving cybersecurity’s people problem

Solving cybersecurity’s people problem

By Lee Congdon on Thursday, February 1, 2018


The classic cartoon below illustrates the risk of thinking of cybersecurity as solely a technology challenge. After all, hackers don’t have to spend a million dollars to crack into your system if they can simply crack one of the many people with a password.

Solving cybersecurity’s people problem
Credit: XKCD.com

Whether it’s an employee being tricked into giving up sensitive information, an insider hack, or inadequate policies on access and identity management, cracks in your human firewall are as dangerous as those in your digital firewall. To ensure your employees are an asset rather than a threat to cybersecurity, make the following 8 strategies part of your infosec plan:

  1. Make annual security training mandatory for all employees
  2. All employees, not just IT staff, should be aware of the threats and equipped to respond appropriately. They should also understand institutional policies regarding the proper use of data and technology, as well as the consequences of non-compliance.

    Make annual information security training, whether online or in person, mandatory for all employees. Don’t use the same content year after year. Threats and best practices evolve quickly, and so should your training materials. Train new employees as they join the organization.

    Many institutions have a formal acknowledgment process that requires employees to demonstrate that they’ve completed the training and understand the material.

  3. Provide ongoing education
  4. Once-a-year training is not enough. Changing awareness and behavior doesn’t happen overnight. And even after change occurs, it can only be maintained through continual reinforcement. Provide regular communications about information security using multiple channels, including:

    • Emails: Send awareness-building emails on specific threats, best practices, new research and data, etc.
    • Videos: Conduct short video interviews with your information security leaders and tape any live events or panel discussions for re-use.
    • Posters/signage: Get creative and share infosec tips and graphics on posters, signage, or in display cases around the office.
    • Newsletters: Include articles, links to resources, etc. in employee newsletters or other internal communications.
    • Webcasts: Provide live online training on specific topics.
    • Events: Hold infosec awareness events or town halls with speakers, games, merchandise, etc.

    If you have the resources, consider a training partner. There are many vendors that provide content for all of these channels, which can be used as-is or adapted to meet your needs.

  5. Partner with your communications team
  6. Your communications team can greatly enhance the effectiveness of training materials and awareness-building campaigns. When it comes to developing the right messages for the right audiences, developing compelling copy and graphics, and pushing content out through multiple channels, they have the experience and resources required to make an impact.

  7. Don’t just inform, demonstrate
  8. General education about the threats is important, but it’s not enough. If you want people to identify with and retain information, put it in context of their everyday lives. For example, don’t send an email with a definition of “phishing.” Send an actual mock phishing email to test whether employees fall prey (by clicking links/opening attachments). For those that do, provide training so they won’t get tricked again.

    Make sure all communications illustrate concepts with real life examples. Incorporate practical exercises and test questions into your mandatory annual training to ensure employees have actually absorbed the information.

  9. Develop a ‘security champions’ program
  10. Enlist passionate people across all areas of the institution (not just IT) to champion security, model best practices, support infosec events and campaigns, and continually raise awareness. Provide your champions with monthly or quarterly training, and keep them engaged by demonstrating how their efforts are making an impact.

  11. Take advantage of National Cyber Security Awareness Month
  12. October is National Cyber Security Awareness Month. Take advantage of the momentum it generates to enhance your own cybersecurity campaign.

    Consider using more creative tactics during this month, such as contests, scavenger hunts, prizes, and desk toys with cybersecurity messaging. Share links to national campaign coverage, events, celebrity ads, and other activities on your social media feed or in your newsletter.

    The National Cyber Security Alliance has an array of resources you can use.

  13. Bring in guest speakers
  14. While interviews with your own institutional leaders are great, sometimes bringing in an outside expert on cybersecurity can increase engagement. Look for speakers with unique stories or from well-known organizations that will pique employees’ interest. Host speakers live in a town hall environment and/or make a video available for ongoing education.

  15. Partner with HR
  16. Creating a culture of commitment to security requires strong support from every department, but particularly HR.

    The responsibility for protecting information should be incorporated into position descriptions, employee onboarding, and regular training. It should be part of institutional values, policies, and best practices.

    As the liaison between leadership and employees, HR can also help foster a culture where it’s okay to question. If employees sense that hitting deadlines—with, for example, wire transfers or reports—is more important than exercising caution, they may choose to ignore security warning signs.

Conclusion

The first blog in this series outlined the top security threats facing higher education—nearly all of which have a human dimension. The third blog , which reviewed the elements of a good infosec plan, also reinforced the importance of investing in ongoing education and training.

Bottom line: Institutions that focus as much on people as technology will win the infosec game.

In the sixth and final blog, I’ll offer some advice on keeping up with the dizzying pace of change in the security arena.

Read the complete infosec blog series.

Understanding cloud security

Permanent link

Add to conversation

* Required. DO NOT include HTML code.
* Comments are subject to moderation.

About the Author

Lee Congdon

Lee Congdon

Senior Vice President and Chief Information Officer at Ellucian

Lee Congdon is responsible for Ellucian’s information technology, including enabling the business through technology services, information technology strategy, delivering next generation solutions, process improvement and advanced data and analytics.