5 ways to improve your high risk users campaign06 August 2018
High risk users (HRUs) hold the critical ‘keys to the kingdom’ of any organisation and, as such, represent a cybersecurity risk that no CISO should overlook.
Their privileged credentials make them a prime target. If their details were compromised, they could give a cybercriminal unparalleled access to your company’s most sensitive information.
As the cybersecurity landscape continues to evolve, we need more than just technical protections such as firewalls, anti-virus and access controls. Those may build our outward-facing ‘castle walls’ but, inside the keep, we also need a human firewall.
Cybercriminals will always find new ways to breach our defences, so a culture of ongoing awareness is vital.
And don’t forget, human error can also play a big part in cybersecurity incidents. When it’s privileged employees, those mistakes can be even more costly.
Here are a few key suggestions to consider when planning your campaign for high risk users.
1. Engage with HRUs as people
Behind every role, there is a person handling your company’s sensitive data.
CISOs should empower these employees to be a robust front-line defence against cybersecurity risks.
Employees who understand why they need to change their behaviour are more likely to care and be motivated to engage with such change.
They are also more likely to engage when your awareness materials can be applied outside of the work environment.
By reinforcing how behaviours around cybersecurity can help them and their family at home, you are giving them more reasons to care about what you have to say.
This holistic approach can demonstrate that you understand them as people, as well as handlers of your company’s information.
2. Focus groups
CISOs need to understand their company’s office culture and where the knowledge gaps are.
Focus groups are an effective analysis tool that can help you do this. Use them to investigate behaviours and establish what will work best for your HRUs.
Using focus groups will allow you to hear what your HRUs have to say and understand their fears, motivations, values and awareness. With that knowledge, you can tailor training specifically to them.
Discussion platforms such as focus groups can add a human element to your research, especially if you are using a traditional but less personal survey. It will give you a deeper understanding of quantitative data and the explanations behind responses.
The groups can also be a great source of real-life anecdotes that can add context for best practice behaviour and help your HRUs understand the ‘why?’ behind the need for behavioural change.
3. Face-to-face training
It’s important to not simply rely on Powerpoint slides, leaflets or e-Learning courses as your primary awareness training channels.
While these can be effective and certainly reduce costs, there are circumstances where face-to-face training is the more effective learning solution.
This type of training can provide focus because there are no phone calls, emails or colleagues to distract employees. It takes them out of their usual environment and puts them in one designed to achieve a specific goal.
Face-to-face training provides a safe environment for employees to raise, in confidence, the problems they face and gives them the opportunity to ask questions and establish a dialogue with the instructor. They are also able to practice their newly acquired skills with the instructor and understand how to apply them in the real world.
In the training room, they can break down departmental barriers and build relationships with each other to share experiences, advice and support. Encouraging people from different business units to interact in this way can help foster better inter-departmental working relationships.
4. Get support from management and the board
Training employees only goes so far – you also need support from management and the board for your campaign to be successful.
Of course, if top executives lead by example, it shows that the rules apply to them too and gives your users a clear incentive to comply. It says that your key messages and best security practices are important and must be followed.
But, also ensure your middle management teams understand the importance of your HRU campaign; getting them to champion it is vital. Privileged users are often some of the most critical resources in your organisation and their time is at a premium.
5. What’s in a name?
Possibly quite a lot when it comes to convincing employees to make meaningful changes in their behaviour. And while ‘high risk user’ may work well for the information security team, what does that term imply to those being labelled?
‘High risk’ has potentially negative connotations that could make them feel they are the ones at risk, or that their behaviour is ‘risky’ – which is not the case.
CISOs and information security teams need to think about how HRUs work every day and understand what their roles entail.
Consider referring to them as ‘privileged users’ to give them recognition of how their level of access sets them apart from other employees, especially when communicating with them directly.
High risk users present a unique challenge for CISOs, so it’s important to plan your engagement campaign carefully to guarantee its success.
HRUs may feel under pressure from their extra privileges because they don’t want to be the ones to cause a security incident.
You need to do your research and listen to what your HRUs have to say to truly understand the people behind the roles, the culture they work in and the issues they face every day.
Don’t be afraid to try something different and remember, an informed campaign is an effective campaign.