Solving cybersecurity's people problem
- Annual security training and education should be mandatory
- The communications and HR departments can be valuable partners
- Focusing on people is just as valuable as technology
Whether it’s an employee being tricked into giving up sensitive information, an insider hack, or inadequate policies on access and identity management, cracks in your human firewall are as dangerous as those in your digital firewall. To ensure your employees are an asset rather than a threat to cybersecurity, make the following 8 strategies part of your infosec plan:
- Make annual security training mandatory for all employees
All employees, not just IT staff, should be aware of the threats and equipped to respond appropriately. They should also understand institutional policies regarding the proper use of data and technology, as well as the consequences of non-compliance.
Make annual information security training, whether online or in person, mandatory for all employees. Don’t use the same content year after year. Threats and best practices evolve quickly, and so should your training materials. Train new employees as they join the organization.
Many institutions have a formal acknowledgment process that requires employees to demonstrate that they’ve completed the training and understand the material.
- Provide ongoing education
Once-a-year training is not enough. Changing awareness and behavior doesn’t happen overnight. And even after change occurs, it can only be maintained through continual reinforcement. Provide regular communications about information security using multiple channels, including:
- Emails: Send awareness-building emails on specific threats, best practices, new research and data, etc.
- Videos: Conduct short video interviews with your information security leaders and tape any live events or panel discussions for re-use.
- Posters/signage: Get creative and share infosec tips and graphics on posters, signage, or in display cases around the office.
- Newsletters: Include articles, links to resources, etc. in employee newsletters or other internal communications.
- Webcasts: Provide live online training on specific topics.
- Events: Hold infosec awareness events or town halls with speakers, games, merchandise, etc.
If you have the resources, consider a training partner. There are many vendors that provide content for all of these channels, which can be used as-is or adapted to meet your needs.
- Partner with your communications team
Your communications team can greatly enhance the effectiveness of training materials and awareness-building campaigns. When it comes to developing the right messages for the right audiences, developing compelling copy and graphics, and pushing content out through multiple channels, they have the experience and resources required to make an impact.
- Don’t just inform, demonstrate
General education about the threats is important, but it’s not enough. If you want people to identify with and retain information, put it in context of their everyday lives. For example, don’t send an email with a definition of “phishing.” Send an actual mock phishing email to test whether employees fall prey (by clicking links/opening attachments). For those that do, provide training so they won’t get tricked again.
Make sure all communications illustrate concepts with real life examples. Incorporate practical exercises and test questions into your mandatory annual training to ensure employees have actually absorbed the information.
- Develop a ‘security champions’ program
Enlist passionate people across all areas of the institution (not just IT) to champion security, model best practices, support infosec events and campaigns, and continually raise awareness. Provide your champions with monthly or quarterly training, and keep them engaged by demonstrating how their efforts are making an impact.
- Take advantage of National Cyber Security Awareness Month
October is National Cyber Security Awareness Month. Take advantage of the momentum it generates to enhance your own cybersecurity campaign.
Consider using more creative tactics during this month, such as contests, scavenger hunts, prizes, and desk toys with cybersecurity messaging. Share links to national campaign coverage, events, celebrity ads, and other activities on your social media feed or in your newsletter.
The National Cyber Security Alliance has an array of resources you can use.
- Bring in guest speakers
While interviews with your own institutional leaders are great, sometimes bringing in an outside expert on cybersecurity can increase engagement. Look for speakers with unique stories or from well-known organizations that will pique employees’ interest. Host speakers live in a town hall environment and/or make a video available for ongoing education.
- Partner with HR
Creating a culture of commitment to security requires strong support from every department, but particularly HR.
The responsibility for protecting information should be incorporated into position descriptions, employee onboarding, and regular training. It should be part of institutional values, policies, and best practices.
As the liaison between leadership and employees, HR can also help foster a culture where it’s okay to question. If employees sense that hitting deadlines—with, for example, wire transfers or reports—is more important than exercising caution, they may choose to ignore security warning signs.
The first blog in this series outlined the top security threats facing higher education—nearly all of which have a human dimension. The third blog, which reviewed the elements of a good infosec plan, also reinforced the importance of investing in ongoing education and training.
Bottom line: Institutions that focus as much on people as technology will win the infosec game.
In the sixth and final blog, I’ll offer some advice on keeping up with the dizzying pace of change in the security arena.
Read the complete infosec blog series.