Many casualties resulted from the many wars that were fought during the last century. A high percentage of those soldiers were engaged in combat because there was no ability to opt out. Most of us would not want to go to war, but unfortunately war has a way of finding us.
Right now there are wars going on, but these are wars of a different kind – wars between cyber criminals and organisations, and like the wars of the last century, there is no opting out of cyber war.
So, how do you make sure your organisation is not a casualty of cyber war?
A war can only be one sided when the defence is outnumbered, is ill prepared and has inferior weapons. Does that sound familiar? Are you struggling with each of those dilemmas in your organisation? The good news is that there is a single solution to address all of these and it involves turning your greatest weakness into a secret yet powerful weapon against cyber crime – your users. Why let just the IT team go to battle, when you could have the entire organisation engaged in combat?
Too many organisations attempt to roll out a security awareness program, struggle with it and eventually lay it to rest. I am not surprised. Security awareness is limited. What is needed encompasses security awareness and takes it a lot further – development of a security culture program.
For a security culture program to work, every person within your organisation needs to participate in some shape or form, but therein lies the biggest challenge. How do you get the entire organisation voluntarily doing their part? How can you get people each with different backgrounds, skill sets and motivations all understanding security?
The answer lies in a great quote from Orson Wells. "I can think of nothing that an audience won't understand. The only problem is to interest them; once they are interested, they understand anything in the world."
Here are some tips to get your organisation interested in being part of a security culture program:
(1) Have you ever tried to gain interest in a conversation between two people who were speaking a language you can not understand? It’s next to impossible, so the tip is to stop speaking information technology and security jargon to those who can’t understand it.
(2) Be enthusiastic about developing a security culture program. If you give off vibes of trying to achieve the impossible, or worse still, that it is simply just a tick the box exercise to achieve compliance or achieve KPIs, it will show. Enthusiasm is infectious so display bucket loads of it.
(3) Have you noticed that in every organisation there is always someone who is willing to wear one of those goofy fire warden hats and help people to evacuate the building during a fire drill, or real emergency? I’m sure they are not trying to make some sort of crazy fashion statement. These are people that want to take on more responsibility and have concern for the well-being of others, and the organisation.
Identify people who actively want to participate in development of a security culture program. These might be your power users or they may be techno-phobic users that have an interest in crime fighting mystery novels. In any case, these people are already motivated to join in.
(4) For the rest of the organisation that would rather chain themselves to a tree than participate, appeal to interests that they care about. Every person will have one or both of these interests: Protecting their families from cyber criminals or protecting their finances from cyber criminals. Run lunch and learn sessions or webinars that educate users on these areas first and then you will be able to draw upon similarities to protecting your organisation’s information.
Once the interest has been developed, then we can approach the understanding component:
(1) Provide various different mechanisms for users to learn. Some learn better by reading; some need videos; some need to be alone to absorb material; some are better in a group; some learn by example; some will learn quickly; others will need multiple lessons to learn even the most basic of concepts. Use stories rather than statistics.
(2) People forget things; that’s just part of human nature, but they can be reminded. Provide ongoing security tips and progress updates about your security culture program through various means – on the intranet site, in emails, at company wide meetings and on posters throughout the buildings. Make case studies out of the good work that your organisation is doing. This helps keep people involved and motivated.
(3) Almost everybody hates a snitch, even if the intent was well meant. There is a good reason the FBI has a witness protection program. You don’t need anything as extravagant, but you do need to provide a means for users who witness suspicions or evidence of insider cyber crime to be able to report it anonymously or secretly so as not to raise any alarms and create uneasy working conditions for “snitches”.
(4) Provide rewards for individuals that do good work in promoting or exercising your security culture program. It doesn’t need to be the Nobel Prize. Often a gift voucher of some small nominal value is all it takes to make a statement that you recognise their efforts.
Do not put up with an outnumbered, ill prepared and poorly weaponised defence and come out of the battle battered, bloodied or dead. Your secret weapon will be your users, but only if you are prepared to develop a security culture program for your organisation.