4 requirements for security awareness
More than 70% of all information security incidents are still caused by our own employees. In the vast majority of cases, employees cause these incidents, such as data leaks, unconsciously. They send personal data to the wrong recipient, share a password with a cyber criminal or click on a phishing link. Sometimes with disastrous consequences.
It is therefore important to make employees aware of the risks of cybercrime, but certainly also of their role in preventing incidents. Especially now since we are working from home more often. Because, let’s face it, most employees think security is primarily an issue for the IT department – which does not always have an idea of what is happening in employees’ homes.
Some organisations think a one-off campaign is enough to create a safety-conscious work environment. For example by offering an e-learning process of a few weeks and/or organising a phishing simulation. It is unlikely that this will actually teach employees to recognise security risks, let alone get them to work (more) safely as a result. Making employees permanently aware and safe requires more than a one-off security awareness training course. It requires continuous attention to four important points.
1: Demonstrate the importance
Creating true security awareness starts with emphasising the importance of prevention. Given that many employees feel no sense of responsibility for their organisation’s data security, it’s important to mention private situations. People often recognise the importance of good security once it concerns their own data. After all, how would you feel if your wedding and/or baby photos were suddenly publicly available online or were suddenly deleted? Ask the right questions and describe recognisable situations. This way you challenge employees to think differently about information security.
One good start may be to simulate an incident, in order to demonstrate the vulnerability of people and the organisation. A simulated phishing attack, a visit by a mystery guest and/or a telephone phishing investigation often exposes major vulnerabilities and can make a huge impression. It is important, however, that these simulations are carried out properly and that the results are communicated correctly, for example by the investigator himself.
2: Share knowledge and insight
Knowledge is an indispensable aspect of security awareness. This concerns, for example, being able to recognise the characteristics of a phishing email and creating a strong and unique password that is also easy to remember.
But how do you get this knowledge across? Opt for a method that fits within the organisation and about which the employees are enthusiastic. This may be a meeting or an online training, as long as participation therein is appealing. Short, interactive modules with videos, quizzes and games, for example, generate a lot more enthusiasm than a boring online training with only multiple choice questions, or a long-winded meeting.
3: Make people alert
Applying what has been learned in practice is only possible if employees remain alert. In a controlled environment, such as an learning environment, people are often perfectly capable of distinguishing between malicious e-mails and legitimate e-mails. This does not mean that the same employee will immediately spot a random phishing email during his or her daily work.
To keep employees permanently alert, you need to continuously stimulate them, for example by conducting continuous or regular tests, whether announced or not. Keep these tests realistic – don’t let employees perceive them as silly or feel like they’re being tricked.
4: Keep repeating it
Repetition of the message is essential in order to create awareness. One-off attention to the risk of cybercrime only leads to short-term alertness of employees. So make a long-term plan and distribute activity, both training and tests, over a longer period. And provide variation. Approach the subject from different angles and regularly use different ways to draw attention to it. As an organisation, you determine the regularity and type yourself; try as much as possible to make it fit what employees want and what they enjoy.
And finally, don’t forget new employees! Involve them immediately during the onboarding and explain their responsibility in creating a conscious and safe work environment.
In samenwerking met partner AwareTrain bieden wij Security Awareness als dienst aan.
Lees hier meer over onze Security Services.