.

Cyber Awareness: How Coordinating Publishing, Training, Exercises, and more Improves Your Cybersecurity Posture

By Darrel Raynor, Director, Cybersecurity Business Integration, Lower Colorado River Authority

Coordinating Cyber Awareness activities is a fast and very cost-effective way to plug cybersecurity gaps and increase your overall cybersecurity defenses. You do not need expensive and labor-intensive cyber tools to make a big difference in your peoples’ cyber resilience. Not only will your target population take some direct actions, they will also be more likely to accept and even collaborate on new and ever more restrictive cyber technology and behavioral standards. Meeting your readers ‘where they are’ using the channel that best meets their preferred type of learning is more effective than single or even dual channel messaging.

A holistic approach to awareness effectively combining your industry-specific threat intelligence and stories of breaches, targeted training, incentives, and practical exercises, organizations will prompt immediate behavioral changes and foster a culture of proactive collaboration in adopting stricter cyber standards. The right mix of ‘scareware’ industry stories of breaches and threats, training, rewards, reminders, exercises, and other awareness actions can quickly, drastically, and affordably improve your overall cybersecurity posture.

This happens by convincing your target audience of the importance of improving their cyber posture using provided cyber best practices. Help them discover specific steps to take and put them at ease so they take more of your suggested best practice steps. Repetition, without being boring, using multimedia, is key to moving your target off a laissez faire attitude. Their current attitudes may include one or more of the following

  • It has never happened, and it won’t happen to us now
  • It won’t be bad if it happens
  • All this is the Cybersecurity Department’s responsibility, not mine
  • I can’t really do anything anyway
  • I am too busy for these never-ending cyber tasks
  • All these cyber rules are infringing on my productivity and personal freedoms

This article summarizes only three of the many Cybersecurity Awareness techniques: Cybersecurity Publishing, Training, and Exercises. All organizations should use these to improve their Cyber Business Integration and other Awareness efforts.

Why Cyber Awareness? Everyone knows that humans, despite all our advancements in technology and constant reminders, remain the leading cause of cyber breaches. Almost 95% of cyber incidents can be traced back to human error in judgment, errant actions, or omissions according to IBM Security research.

  • Phishing can give up credentials or install malware
  • Weak, reused, and patterned passwords can allow credential cracking
  • Unpatched software and hardware can allow unwanted entry
  • Insider threats can be accidental or purposeful for revenge, monetary gain, or political advantage
  • Social engineering of all types can lure employees into doing any number of questionable acts

 

Publishing Cyber Awareness pieces.

In your organization, you probably have many ways to communicate important information in writing and convince people to act. Coordinating and rotating your cyber messages in writing and video is key to keeping people interested and ready to take action. Here are just a few of the medium I have used successfully to sway people to improve their Cyber Posture

  • Newsletters– Early in my career I have irritated more than a few group internal newsletter publishers by tracing click-throughs and recording the time people actually spent reading. Depending on the subject and audience, reading ‘below the fold’ runs from small percentage to abysmal… Sometimes in public agencies less than 5% of the people spend more than 15 seconds on a multi-page newsletter.That said, repurpose your high-performing primary channel communications in newsletters as reinforcement. Attempting to use newsletters as a primary communication channel usually does not work to your awareness campaign advantage. Think rotating reinforcement messages!
  • Visual Medium- Public monitors (digital signage), online announcements on your intranet and other applications, splash logon screens, playing short videos during staff meetings with discussions where it is more difficult to ignore, posters that can be rotated monthly to spark interest are but a few of your visual options. The more interesting and vibrant the images and text, the more they draw eyeballs. Regularly updating your visuals and tying them to current events or organizational activities will increase retention and effectiveness of your cybersecurity messages.
  • Direct Emails– Emails fall into several categories: notice of imminent danger, informational to reinforce cyber vulnerabilities, and calls to action.
    • Urgent- Danger or Action Needed emails help keep focus on cyber and reinforce that yes, it can happen to us! Sharing information can make cyber situations more real and hit home with readers. Remember that anything you put in writing is subject to e-discovery which includes subpoenas and FOIA (Freedom of Information Act) requests and could get out to the public…
    • Informational emails are calmer and serve as reminders of various types of cyber threats.
    • Calls to action let employees know how to help and what is expected of them as part of their job. Provide clear direction on exactly what they can do to aid cybersecurity efforts.

Emails can be used in several ways. As a subscription service for those with curiosity
about cybersecurity for those who want more, and sporadically when circumstances or your Awareness Plan calls for them. Generally, emailing more than 5-6 times a year leads people to ignore them.

I have found that emails with the highest open rate are those that give credit to employee(s) for reporting cybersecurity problems or fulfilling expectations of actively maintaining good cyber posture in their groups. Success stories can be powerful motivators as anyone dealing with any technology vendors will know.

Cyber Training.

By now, we have all taken Cyber training of many types. Most of these, including those from prestigious organizations, are passive and much the same. Effective cybersecurity training must not just use traditional, passive formats. Engaging, interactive, and emotionally triggering training methods yield more behavior change than conventional approaches.

Many firms keep Cyber Response and other types of firms on retainer. One source of training may be those unused retainer hours. Ask your vendors, they may even have free training resources. I know CISA and the FBI do!

Make your training varied, interactive, with humor and other emotion-engaging content and you will find higher behavior change than rote videos. Your training should introduce and reinforce cybersecurity areas with direct calls to action that can be measured and reported to executive
management and cyber training planners to constantly improve what works in your organization.

We are recently experimenting with allowing participants to ‘test out’ of some cyber trainings if they pass a 5-10 question quiz. I will pass on that learning as it happens!

Here are categories of training and ways to add punch to your cyber messages

  • In-Person Instructor-Led– Cyber training, like all types of training, is proven to be more effective when it is in person. In-Person training has the highest impact. Coupled with that high impact is the highest cost, due to travel, coordinating logistics (booking rooms, snacks, meals, instructor time and more). Interaction is higher, leading to far more retention and sometimes even wanting to please the instructor. A good instructor will pull the attendees into conversation, questioning, exercises, all which led to higher retention and buy-in for actions and acceptance of standards. The training with the highest behavior change is highly interactive rather than just lecture.
  • Video Instructor-Led– Technology has advanced in training, like in all things, including video ‘breakout rooms’, interactive quizzes and games, ability to play recorded videos, have guest speakers, allowing large scalability, and more. Straight lecture via video does not induce much behavior change unless coupled with other tactics like gamification, rewards, and other recognition. Video training reduces travel and logistic effort and can be recorded in cases of aborted attendance.
  • Recorded Video– Scheduling, travel, available rooms, etc. frequently makes instructor-led training inconvenient, such as with small trainings delivered monthly and for remedial training when risky behavior is detected or predicted, such as with new employees. To compensate for the relatively low-touch video training, we should add exercises, quizzes, and more sophisticated types of interactions. Spacing modules into ‘micro-learning’ allow those who want to devote a few minutes here and there and also allow those who want it all at once to learn at their own pace.Having the ability to ask questions in real time or via email to a qualified instructor can reduce some of the disadvantages. Live follow up with an instructor is one of the most effective follow-on activities you can do.

Cyber Exercises.

Cyber Exercises, when well planned and executed, clearly expose any communications issues that arise when people and processes are put under high pressure. In a ‘safe environment’ of no blame, observers take notes constantly, adding post-exercise interviews and analysis. Almost all exercises highlight process changes needed. Exercises may also find technical, cyber, people, physical and other types of changes needed.

Use realistic, robust, overlapping exercise topics and events. Think of these like fire drills for cyber attacks. They help everyone practice their response to potential threats in a safe environment, highlighting areas for improvement and building confidence.

I’ll just stress here the need to hold and benefits that accrue from cyber exercises. Cyber should have a major role in these, from planning the roles, timing, scenarios and specific artificial events (called Injects). Cyber injects should help

  • Practice your threat hunting and incident management processes in real time, usually without executing remediations and other strident actions.
  • Demonstrate the possibly calamitous effect a serious cyber breach can have.
  • Bring all the players from business, technology, and cyber together in the same room.

Scope of cyber exercises can vary, and at time the areas may overlap

  • Organization-Wide– Typically executive management sponsored, held once a year, and may be mandatory for compliance. They involve people of various levels from every department, with injects that cover the gamut of functions. These usually last a full day and can extend if ‘hot washes’ to quickly review actions directly follow. After Action Reports (AARs) may take place over an extended period with interviews from various business units and a summary and review period to identify and prioritize findings (actions to remediate) are documented.
  • Business Unit-Wide– These are championed by the senior executive of the business unit and may be held two to several times a year. These are narrower in scope than organization-wide exercises yet should involve an entire business unit with participants from every function. These usually last half a day and can extend to a full day if ‘hot washes’ to quickly review actions directly follow. After Action Reports (AARs) may take place over a couple of weeks with interviews from various business functions and a summary and review period to identify and prioritize findings (actions to remediate) are documented.
  • Location or sub-business unit– These are championed by the senior person on site, may be held as often as quarterly with limited and rotating scope, and are generally limited to the areas the location has under at least their partial control. They are less comprehensive yet provide timely feedback for relatively immediate improvements. They may last a couple of hours with limited ‘hot washes’ to quickly review actions. After Action Reports (AARs) may take place the next week to identify and prioritize findings (actions to remediate) to document.

Cyber Awareness Coordinating Summary.

Implementing your comprehensive Cyber Awareness program requires strategic coordination of your chosen communication channels. By coordinating your Cyber Awareness media and campaigns, you introduce ideas on how to improve your organization’s overall cyber posture. Reinforcement can drastically improve not only awareness, it also can up the percentage of people who are willing to take action and accept stricter Cyber Standards. Coordination of
your programs also allows you to rotate current threat topics over a 20+ month cycle, reducing boredom and the notion that people have already heard all the information they need.

Bottom Line

A well-informed staff is one of your easiest to implement and strongest ‘firewalls’ against intrusions of all types. Coordinating Cyber Awareness efforts is your quickest and most cost-effective way to improve your staff cyber posture.

Hot Topics

Related Articles