You already have a secret weapon against cyber crime – want to know what it is?

Many casualties resulted from the many wars that were fought during the last century. A high percentage of those soldiers were engaged in combat because there was no ability to opt out. Most of us would not want to go to war, but unfortunately war has a way of finding us.

Right now there are wars going on, but these are wars of a different kind – wars between cyber criminals and organisations, and like the wars of the last century, there is no opting out of cyber war.

So, how do you make sure your organisation is not a casualty of cyber war?

A war can only be one sided when the defence is outnumbered, is ill prepared and has inferior weapons. Does that sound familiar? Are you struggling with each of those dilemmas in your organisation? The good news is that there is a single solution to address all of these and it involves turning your greatest weakness into a secret yet powerful weapon against cyber crime – your users. Why let just the IT team go to battle, when you could have the entire organisation engaged in combat?

Too many organisations attempt to roll out a security awareness program, struggle with it and eventually lay it to rest. I am not surprised. Security awareness is limited. What is needed encompasses security awareness and takes it a lot further – development of a security culture program.

For a security culture program to work, every person within your organisation needs to participate in some shape or form, but therein lies the biggest challenge. How do you get the entire organisation voluntarily doing their part? How can you get people each with different backgrounds, skill sets and motivations all understanding security?

The answer lies in a great quote from Orson Wells. "I can think of nothing that an audience won't understand. The only problem is to interest them; once they are interested, they understand anything in the world."

Here are some tips to get your organisation interested in being part of a security culture program:

(1) Have you ever tried to gain interest in a conversation between two people who were speaking a language you can not understand? It’s next to impossible, so the tip is to stop speaking information technology and security jargon to those who can’t understand it.

(2) Be enthusiastic about developing a security culture program. If you give off vibes of trying to achieve the impossible, or worse still, that it is simply just a tick the box exercise to achieve compliance or achieve KPIs, it will show. Enthusiasm is infectious so display bucket loads of it.

(3) Have you noticed that in every organisation there is always someone who is willing to wear one of those goofy fire warden hats and help people to evacuate the building during a fire drill, or real emergency? I’m sure they are not trying to make some sort of crazy fashion statement. These are people that want to take on more responsibility and have concern for the well-being of others, and the organisation.

Identify people who actively want to participate in development of a security culture program. These might be your power users or they may be techno-phobic users that have an interest in crime fighting mystery novels. In any case, these people are already motivated to join in.

(4) For the rest of the organisation that would rather chain themselves to a tree than participate, appeal to interests that they care about. Every person will have one or both of these interests: Protecting their families from cyber criminals or protecting their finances from cyber criminals. Run lunch and learn sessions or webinars that educate users on these areas first and then you will be able to draw upon similarities to protecting your organisation’s information.

Once the interest has been developed, then we can approach the understanding component:

(1) Provide various different mechanisms for users to learn. Some learn better by reading; some need videos; some need to be alone to absorb material; some are better in a group; some learn by example; some will learn quickly; others will need multiple lessons to learn even the most basic of concepts. Use stories rather than statistics.

(2) People forget things; that’s just part of human nature, but they can be reminded. Provide ongoing security tips and progress updates about your security culture program through various means – on the intranet site, in emails, at company wide meetings and on posters throughout the buildings. Make case studies out of the good work that your organisation is doing. This helps keep people involved and motivated.

(3) Almost everybody hates a snitch, even if the intent was well meant. There is a good reason the FBI has a witness protection program. You don’t need anything as extravagant, but you do need to provide a means for users who witness suspicions or evidence of insider cyber crime to be able to report it anonymously or secretly so as not to raise any alarms and create uneasy working conditions for “snitches”.

(4) Provide rewards for individuals that do good work in promoting or exercising your security culture program. It doesn’t need to be the Nobel Prize. Often a gift voucher of some small nominal value is all it takes to make a statement that you recognise their efforts.

Do not put up with an outnumbered, ill prepared and poorly weaponised defence and come out of the battle battered, bloodied or dead. Your secret weapon will be your users, but only if you are prepared to develop a security culture program for your organisation.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber crime

More about FBI

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Andrew Bycroft

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts