IBM’s Threat Intelligence Index verifies that humans are still the weakest links within organizations and play the major role in making cyberattacks successful. How do we help turn this around by transforming them from our weakest links into our greatest assets for protecting our organizations against cyberattacks?
A Shift in Perspective
Information Security policies are important but they are never enough. These policies help organizations define their risks and demonstrate a commitment to good practices but they don’t transfer the real, everyday awareness our people need to defend the organization from these risks. Helping our people change their behavior requires empowering them with knowledge, tools and strategies that nudges them to shift their perspective in friendly ways.
A key component of this success is making awareness a part of the organization’s mission. To be part of the mission, all of the people in an organization, from leadership all the way through, needs to understand and recognize risky scenarios and what the implications are. A united front maximizes awareness efforts to keep them consistent, ensures that everyone feels some ownership by being able to contribute valuable input into workflows by sharing qualitative pieces of the operation that can often go unknown to others. Periodic training sessions, coupled to integrating security awareness into onboarding and performance management processes work great for this.
There are so many different kinds of risks and attacks are evolving by the day. From a risk-management perspective, focusing on the most severe and common of these makes the most sense. Otherwise, trying to cover everything can overwhelm everyone.
A focused approach keeps messages clear and helps keep things understandable. Remember people have many priorities throughout their day. Crafting messages into small, friendly portions works best. Distributing related content over a longer period of time makes it easier to manage, too.
It’s important to keep in mind that people all process information in different ways. Transmitting awareness and related knowledge successfully incorporates a variety of media formats from articles, newsletters, physical posters around the office, games, blogs, online training resources, simulated phishing attempts and more. The more participatory the approach, the more successful the outcome.
It’s important to gauge the impact of these efforts from time-to-time. Collecting metrics ahead of awareness efforts makes it much easier to demonstrate your success. These can include surveys to get a feel for overall attitudes towards themes and more hard statistic such as results from simulated phishing attempts before and after an awareness training session. It’s also a good idea to take a closer look at the number of security-related incidents, whether successful or not.
This insight gives people an idea of what is going on behind the scenes that they otherwise would have no idea of. It can be powerful incentive, this look behind the curtain of technology. Measurable improvements like these, in any context of technology and cybersecurity, will add incredible value to the program and continue to build it as a legitimate and valued part of your culture.
Not to mention, it will one day become a differentiator between you and your competitors. Which organization do you think a client would prefer to choose? One with a culture like this? Or one without it?
Learn more by getting in touch with WIMZKL, whose goal is to be your long-term partner in this kind of success.