As part of #CyberSecurityAwarenessMonth, we wanted to provide credit unions with a guide to build a security awareness program.
Building an effective and comprehensive security awareness program seems like a daunting task to those who are responsible for it. There is a lot of information at your fingertips, but how do you turn that information into something useful?
Like most security professionals, understanding a program’s critical components and connecting them together to design something comprehensive, continuous and engaging is an overwhelming task.
What Is Your Starting Point?
Let’s first take a look at your organization’s current efforts. You may find yourself in one of the following two positions:
- You have an established program, but it is not effective (you are not alone)
- A security awareness program does not currently exist (again, still not alone)
To start, let’s determine where your program originates. Many organizations use internal corporate training teams to create program content. Security content is starkly different than other corporate or compliance content.
There is a level of security expertise required to understand the critical elements that need to be included in a program, and knowledge required to know how to marry those different elements into digestible bites. Whereas some training has a beginning and an end, security awareness training is continuous; there is no end.
It is also important to consider who is leading your security awareness team/program. What we find is that these programs are commonly led by security practitioners or someone in security who has extra time to deal with this “training stuff”.
You need to look for individuals who understand organizational development, have a background in training and knowledge of how to drive behaviour. Look for candidates who have strong project management and communication skills and can lead up and across your organization.
What Are You Trying to Do?
In order to build a strong security awareness program, you first need to determine your objective.
Security awareness programs are anchored on having employees act in vigilant and secure ways in order to protect the organization. It may seem simple, but if you do not know what outcomes you want to drive, you will not know how to measure and represent your results.
Who Are Your Advocates?
Capturing C-level support is paramount in both driving a more secure culture and ensuring that everyone within the organization understands their role and responsibility in creating the desired state.
Executives are notoriously overlooked in the training ecosystem. They need the training as much as you need their support. In order to capture attention at the top, you will need to leverage stakeholders across the organization, be highly persuasive and enact a level of diplomacy that gets to the point without becoming your own blockade.
What language is likely to seize their attention and get them to act with both resources and funding?
It is not doom and gloom. It’s language that connects the security awareness program to the success of core business initiatives. Many members of the C-level fall into the “technology will solve the world’s problem” trap and throw all of the investment dollars there.
Technology, although helpful and necessary in the fight against cyber-crime, just is not enough. The human element is far more critical. Cyber criminals cleverly evade an organization’s security controls, preying on the uneducated, distracted and naïve, knowing that where there are humans, there is also human error.
C-level attention is continuously fought for within an organization, leaving them to sift through what programs are most closely aligned to the core business and that will drive the most beneficial outcomes.
A successful security awareness program will enable other parts of the overall business to prosper and should be communicated that way. Additionally, the C-level’s ability to advocate for the program will yield lasting benefits in adoption and engagement across the business.
The C-level must drive the organization’s security culture; this is a need-to-have asset in the security toolbox. Make sure the security awareness program plan is reviewed and approved by either the C-level or a subset within the cyber security steering committee.
By assessing employees’ security awareness, behaviours and culture, organizations can adapt their policies and training programs to the constantly changing threat landscape. The alternative becomes less attractive by the hour: do nothing and see your organization crumble to a halt by ransomware, data theft or business interruption.
To Phish or Not to Phish
Phishing is a way to use simulated attacks to test your audience’s ability to detect, report and prevent a cyber-attack.
A majority of successful data breaches started with a spear phishing attack, while phishing remains a top threat action used by cyber criminals. Emails, phone calls, SMS and other outreach methods are specifically designed to entice your employees to take actions which will allow criminals access to company data and funds.
Simulated phishing tests should not be viewed or implemented as a “got ya” exercise. If employees believe that this is a punitive exercise to catch them doing something wrong, then they may be hesitant to open any emails, which could affect their overall work.
Leaders need to explain that this is a companywide initiative to help teach and strengthen their ability to spot and report an attack. Advise that these are transferrable skills that they can share with their friends, family and loved ones so that they can be more cyber safe in their personal lives.
Security awareness leaders should also leverage lots of different kinds of templates in their attacks. If you are only using simple templates, then you are not increasing the employee muscle in detecting difficult attacks. Cyber-attacks are ever-changing and evolving, so you need to continually change and adjust your template strategy.
Communicate, Communicate, Communicate
When you are looking to evangelize across a broad, diverse population of people, you need to operate like an attacker, but think like a marketer.
In addition to your communications that inform and reinforce the right secure behaviours, look for ways to partner with other departments to give your messaging another outlet to get to employees. People receive information differently, so try to leverage as many communication styles and mediums as possible. Leverage digital banners, internal social media channels and team meetings as continuous means of driving messaging.
Be creative and continuous with your approach. You are looking for messaging that is sticky and memorable. Spend time determining what the right message approach looks and sounds like from a short-term and long-term perspective.
Think of how you want people to feel, react and act as a result. Partner with your corporate communications or marketing teams (if available) to brainstorm ways to make your messages memorable and connect to the overall corporate messaging agenda.
Build an Army
Champion programs are a great way to have advocates spread across the organization who can further translate and embed the security message within your organization. By building a group of champions, especially on the senior leadership team, you are ensuring that there will be a constant stream and reinforcement of security messaging moving through the organization.
Champions do not need to be security experts, but they should be influencers in their areas, having the ability to engage their peers in ways that are relevant and meaningful. Essentially, you are providing champions with the messaging content and giving them the liberty to translate and communicate that content in ways that are most effective for their audience.
By localizing this messaging through champions, you now have a tremendous reach within the organization that you may not otherwise have had.
It is also essential to make it very clear across the organization just how important cyber security awareness is as threats across the world are getting worse with time. Reiterating that cyber security is everyone’s responsibility, and not just the security team’s.
Rewards
Rewarding secure behaviour and upholding consequences for unsecure behaviour is relatively new thinking in the area of security awareness.
Companies are evaluating whether using rewards like certificates, shout-outs on team calls, increments of time off, gift cards or swag can help to reinforce secure behaviour in those demonstrating it while enticing others to jump on board.
Human nature dictates that people like to be recognized in front of their peers, and that different types of recognition drive different people. Having a way to call attention to favourable behaviours may initiate this human desire to be appreciated and motivate employees to act in a more secure manner.
How Is It Going?
Quantifying the success of your security awareness program is paramount. You should rely on metrics that reinforce the secure behaviours that are necessary in protecting company data, systems, finances and people.
When determining what metrics to focus on, do not boil the ocean. Select a few meaningful ones that can be quantified frequently in order to show the progress over periods of time. It is important to understand the organization’s top security concerns and then anchor your measurements to those concerns. An example would be metrics on click rate improving (going down) for monthly/quarterly phishing simulation campaigns.
Although training completion rates and ongoing phishing click rates are important measurements to track, also consider evaluating vulnerability instances and assessments or password resets as additional options.
Being able to show the cost/risk of doing nothing is also important. The organization could suffer brand damage, revenue loss or reputational consequences that they cannot recover from. Also, executives are being held professionally accountable for breaches, losing their jobs and the ability to find future employment.
When reporting results, do not helicopter-up a data dump of information for executives to interpret. Tell the story with minimal numbers and charts. The compelling piece of the narrative is that the organization is becoming more secure as a result of the efforts. Show that in simple visuals using powerful, connecting and memorable words. The viewer should be able to understand and recommunicate the critical factors of the findings.
To learn more about how Celero can assist you with all of your security needs and questions, talk to your Celero Account Executive or contact us. You can also follow Celero on LinkedIn, Twitter and Facebook and monitor the hashtag #CSAM2022 this month to discover resources to help keep your credit union secure.
Editors note: This blog was originally published in October 2021 and has been updated for accuracy.
