There are many risks when it comes to your organization’s security, trust me, we’ve seen them all! But often overlooked is the human risk factor. The latest report by SANS highlights this beautifully, and breaks down the different types of human risk, why they are so prevalent, and what you can do to prevent them.
That can sound like a lot of jargon to the average employee, and can feel overwhelming to try and tackle by yourself. CG Silvers Consulting is here to break it down and offer a helping hand in the solution for your company in three simple steps:
Talk in Terms of Risk
Create a Sense of Urgency
Recognize Your Strengths, and Ask for Help with Your Weaknesses
By following these steps, you are sure to see the culture surrounding security awareness mature in your workplace.
Step One: Talk in Terms of Risk
Let's begin by breaking it down into the top three concerns identified in the report:
Phishing – Often email based, but can be SMS and voice based as well.
Business Email Compromise – AKA CEO fraud, this is a targeted form of phishing that uses highly believable emails to request payment/payment change. While very common, organizations are not required to go public when it occurs so it often flies under the radar.
Ransomware – Often receives the most attention because they are highly public and require an organization to provide a breach notification for customers. This type of attack almost always starts with phishing or exploiting weak passwords – both human risks.
Now that we have identified what risks we are up against, we can begin our conversation on security awareness training.
Security awareness is too often perceived as just a compliance effort, which leads to security awareness professionals trying to make their training entertaining in order to engage employees in this mandatory education. Everyone gathers in a room and plays games and listens to jargon they may not understand, only to forget everything they learned the next day when training can be checked off like an item on a list. In order to effectively engage employees, training must “focus on and use terms that resonate with them and demonstrate support for their strategic priorities.”
At CGSC, we have seen that the most effective security education:
Avoids extreme hypotheticals and breaks down concepts to real life issues any employee could face in the workplace.
Not only trains your employees, but tells them WHY they need to be trained on these topics in the first place.
Every human in your organization poses a risk to the organization’s security, and the best way to minimize that risk is if everyone knows how to combat it.
Step Two: Create a Sense of Urgency
According to data from the report, “the most mature awareness programs are those that have had the greatest leadership support.” So how does leadership set the example when it comes to identifying the human risk factor? By creating an environment where leadership and employees work together to prevent these risks.
It is an easy thing to brush off as a low risk for your organization, but I see simple errors from the human risk factor every day putting the security of the organization at risk.
Data makes the hypothetical tangible, and by leveraging it for educational purposes an organization can better understand “key human risks and show how people are one of the largest drivers for incidents”.
If you are interested in jumpstarting your own security awareness program to promote urgency among employees but you aren’t sure where to start, check out our blog tutorial on how to do just that.
Step Three: Recognize Your Strengths, and Ask for Help with Your Weaknesses
One of the questions asked in the new report was “to identify the top challenge they face in building and managing an awareness program.” The top three answers were related in some way to lack of time: lack of time for program management, lack of staffing, and limits on training time per employee.
The report states that in order to combat these issues, you can do three things:
Increase leadership support for security awareness
Increase your team size
Make regular training a priority
The report goes on to say these solutions are interrelated. “The larger your security awareness team, the more effectively you can partner with other departments and the more frequently you can train and engage and communicate with your workforce. The stronger your leadership support, the larger your security awareness team, but also the greater the resources and support you’ll have to effectively train, partner, and engage with your workforce.”
While this is good advice, it may not be feasible to grow your in-house team right now, which is why outsourcing can be a great solution.
One of the biggest issues I have seen with small businesses is their security professionals often try to wear too many hats. A few people with expertise in a specific area trying to do it all can be overwhelming. CGSC specializes in security, which gives us the confidence to say we can lend a hand.
At the end of the day, human risk is inevitable, but it can certainly be limited when employees are given the appropriate training and preemptive measures are taken. CGSC has every service you need to begin taking these steps, and would be more than happy to answer any questions you may have about getting started. While we highly recommend taking the following preventative steps for your security awareness, the time to implement them is before an incident occurs. If your organization has fallen prey to a human-based attack vector, the time for prevention is past. Reach out to CGSC to quickly execute an incident response plan.