Security awareness programs have been around for many years, yet these programs are failing to deliver on their desired objectives. Research suggests that sloppy security behavior by the workforce is the cause of over 60% of security incidents and breaches. Processes, guidelines, procedures, and systems are all willfully ignored. Why? Because security awareness training has failed to change the behavior of individuals.
Some of us may recall receiving instruction from HR to complete security awareness training, going through some potentially tedious set of online questions quickly slotted into a coffee break on the day of the deadline. It is this sort of program that not only fails to deliver on objectives but also can be damaging to the image of security, portraying it as something that must be completed to get back to the day job. Security is not a 15-minute piece of online training, it is an approach, an ethos, to be woven into the day job. Security is everyone’s responsibility.
Awareness needs to evolve into education focused on developing skills, so that users know why they must adopt secure behavior and what the potential consequences of their actions might be. Let’s take an easy example: leaving your computer screen unlocked in the office. What damage can this possibly do? Well, let’s start with the insider threat. Malicious insiders may well be part of your organization, see an unlocked laptop, and use it to access confidential or sensitive information with your credentials. Who has really accessed the information? Or a visitor walks past your desk with an account manager. The visitor is a potential client and, should the potential client turn into a customer, your organization will be holding some confidential data about his or her company. The lack of attention to security has the potential to change a deal decision.
These are high-risk touch points, where individuals interact with systems and data, and where human error could have major consequences.
Security education programs are required. Educating the entire organization about secure behavior and why secure behavior is essential will slowly help to reduce the amount of sloppy security behavior evident in the workplace today. This isn’t a one-off project. It should be an ongoing program that reinforces secure behaviors. Those being vigilant should be rewarded (for example, call out those who successfully recognize and report a phishing email), while individuals who consistently fail to apply secure behaviors should be targeted with tailored education programs. And, most importantly, the tone from the top should be security-focused. Everyone from the CEO down must exhibit and promote secure behavior for it to become embedded in the culture of the organization.
In turn, security posture will improve and the number of security incidents and breaches will reduce. Which organization wouldn’t want that?
Straight Talk is a weekly briefing from the desk of the Chief Research Officer. To receive this newsletter by email, please contact us.