Build a cybersecurity awareness programme that really works02 September 2021
An effective cybersecurity awareness programme is crucial to the success of CISOs and IT teams.
Convincing staff at all levels of the importance of security and the essential proactive steps to take is key to success. But if you’re involved in ensuring the smooth deployment of a cybersecurity awareness programme you will be acutely aware of barriers.
They come in many forms. Among the common ones are:
1. Assumed knowledge
This is often an issue. Security professionals understand cybersecurity and know the essential steps and measures to take. However, staff outside this group in the business don’t necessarily have this knowledge. Even though they often believe genuinely that they do. This gap between real and actual knowledge must be tackled. It is important to build a cybersecurity awareness programme that suits your people and considers real levels of awareness and understanding.
2. Full C-suite buy-in and support
Some CISOs face apathy towards cybersecurity while others face a simple lack of awareness. Some senior management still see cyberattacks as things that ‘happen to someone else’. For most the question of cost will arise. Cybersecurity programmes do, of course come at a cost, so CISOs have to clearly demonstrate financial and operational value.
3. Business Prevention Officer syndrome
Critics of cybersecurity believe that extra layers of authentication and authorisation can ‘slow business down’ and create extra layers of operational complexity — portraying you as ‘the Business Prevention Officer’. Your effective cybersecurity programme will tackle and dispel this myth.
So, taking all this into account, what can you do?
Sell your vision to the board
Senior management and decision makers can be the most difficult to convince of the need for cybersecurity. Especially when considering the financial investment that comes with it. CISOs need to be able to answer difficult questions from the board. You need to be ready to provide proof of success and explain the value.
A study by Ponemon found a breached publicly-listed company could expect a 5% drop in average stock price on the day of a breach announcement and a 7% loss of customers. Research like this, presented well (preferably in £££s!), is a powerful tool for convincing senior management of the value of cybersecurity.
Building an effective cybersecurity framework
The framework for your programme should be clear and engaging. It should build on existing practices that employees recognise so they have a confident base to work from.
All components and objectives of your programme should be clear, understandable, and jargon-free.
Objectives within your programme could include:
1. Business-first approach —Cybersecurity processes designed to support business outcomes, not just to protect infrastructure
2. Keep the human factor in mind— Always consider the human element when designing and testing security controls
3. Regular stress testing— Define vulnerability assessments and stress tests to check the strength of your cyber defences
Adapt and update your programme
Developing your cybersecurity programme is just the beginning. After writing the guide and carrying out initial training, the work has to continue. Cybersecurity threats are ever-changing. As fast as new attack methods appear, your programme must evolve ahead of them.
Consider your programme as ‘live’, 24/7/365. Your documentation, training and approach have to be regularly updated and adapted.
Track data to highlight success
You need to show senior management how your cybersecurity programme impacts the business positively. You can prove this with different types of data including:
Detected Intrusion Attempts
This isn’t scaremongering. Showing intrusion attempts starkly demonstrates the threats are real.
Incident Rates and Response Times
Collect incident reports, record severity levels and response times. Prove your strategy is working and hence the value of your programme to the organisation.
Employee Risks and Threats
Managers often believe that most security threats are external. But, as we know, a lack of security within your internal systems can lead to insider threats and data breaches. Use data such as internal data loss figures, and onboarding and offboarding numbers to demonstrate this point. It can also be a starting point to argue for the value of a zero-trust framework for your business.
A company-wide targeted approach
The role and reach of any cybersecurity programme is clearly company-wide. It takes just one employee error to create vulnerabilities, so working with all departments is essential.
A deep dive into the cybersecurity attitudes and behaviours among your people will reveal significant variations across different demographics. Your cybersecurity programme must take this into account and deliver targeted activity to specific areas.
Communication is vital
Without effective communication, your cybersecurity programme will not achieve the desired outcome.
There are multiple channels available to deliver your message including:
Simulated social engineering drills to test in-office security
These are just some examples to consider. There are many more like wall posters, ‘how to’ video guides, text messages, internal social media. Choose the right mix for your business.
Simple is best
Decoding the language of cybersecurity is essential to your success. Remember that non-IT or security professionals don’t always understand industry jargon and acronyms. To this end, use glossaries to explain and try to find simple ways of communicating your ideas. Try to make learning action-oriented with plenty of ‘hands-on’ simulation exercises so that non-experts can engage easily with your programme.
To find out more about how we can help you communicate clearly and effectively with people at all levels of your business, contact Jenny Mandley or your TSC Client Project Manager.