An effective security awareness training program is an essential component to improving on organization’s security posture and culture. Addressing the human element of cyber threats and handling of sensitive information is crucial to security risk mitigation. I like to split awareness programs into two categories – compliance training and behavioral training. Compliance training is necessary to meet regulatory requirements and industry standards. While it is important, it is not tailored to meet the needs of specific job roles and doesn’t resonate as well in the personal lives of employees. Behavioral training is more focused on provoking positive change in employee behaviors and their day-to-day activities, both business and personal. This is where you can make the most impact on security culture and ultimately make one of your security risks (human element) an important asset of your security program. In this article, I’ll focus on some helpful tips to successfully change behaviors to benefit your security program.
The first, and most important advice I can give a security practitioner is to make yourself and your team visible. Use your new-hire compliance training to introduce security staff and their responsibilities. Include pictures with contact info – this will make things more personal. Try our best to avoid email as a means of communication. Leverage platforms like Slack or Microsoft Teams to maintain a daily presence in your organization. Create a channel for security awareness and invite all to participate. This should be your primary means of posting content and increasing your visibility. Invite the security staff to participate often and take questions directly from employees. Keep the channel top of mind through daily use. Don’t go more than a week without posting something of relevance.
In terms of content, don’t rely on newsletters or lengthy communications to get your message across. Your content should be timely, concise, and (if possible) fun – i.e., “billboard” material. Reinforcement is key. Be repetitive in a positive way – vary how your messages are delivered. Mix short training videos from with your own custom content. Create short “how-to” instructional videos that show users how to perform important daily activities like report a phishing email, encrypt sensitive data, or properly dispose of sensitive material. Keep it short and simple – focus on a single topic and keep it under a minute in length. Wherever possible, use topics that apply to business and personal life. Password security, using multi-factor authentication, and recognizing social engineering attacks are impactful both at home and in the office. Take advantage of any recent news headlines about ransomware attacks or data breaches – they offer a great opportunity to reinforce how employees can protect themselves and the company from a similar fate. This is a great way to maintain a heightened awareness.
Use platforms that support real-time detection for risky security behaviors and metrics. Phishing simulations will test an employee’s ability recognize a phishing attack. It can also provide instant feedback on a failed test and highlight any red flags that were missed. Monitor your phishing platform, endpoint protection, and data loss prevention systems regularly to understand your high-risk users. Provide these users with additional training opportunities and track their improvement. Human error is one of the most common causes of security incidents. The security team’s objective should be partnership versus punishment.
My final bit of advice to a security practitioner is to collaborate with department leaders to influence change in day-to-day workflows. Start with teams who handle sensitive data or have privileged access to corporate technology. Understand their procedures and provide guidance on the risks associated with these job functions. Schedule “lunch and learn” meetings to introduce yourself and discuss how the teams can incorporate security into their daily routine. Tailor these meetings so they include the specific security threats applicable to the workflows and how to mitigate risk. Use these meetings as way to get honest employee feedback on your security awareness training program and ideas for future topics.
I hope these suggestions will help you on your journey to changing security behaviors and culture. Security awareness is so oftenthe overlooked and underappreciated domain of a security program. Let’s change that reality and promote positive change! Good luck!