It needs to be a credible program that people want to be a part of and learn from. It should be relatable, from a business perspective, but also from a personal perspective. It requires managing people, groups and projects and creating a plan to disseminate relevant information to employees who all need to understand that they are stakeholders when it comes to the security of the company and its staff. It involves equipping your employees with the knowledge they need to spot the threats and take appropriate action that aligns with your company policies. It should be a crucial component of any security program.
Employees are often considered to be the weakest link, but they can also be a huge asset to any security team if they are given the right tools and training. The old cookie cutter approach to pushing one annual required training to employees, with a phishing test scattered here and there, just isn't enough. In order for your employees to play an integral role in securing the company they need to be given the right tools that are up-to-date and continuous, and they must feel enabled to make a positive impact. The best way to set the precedent for this is to give employees an understanding of the security program from day one. To cover security policies and common threat vectors that are seen at your organisation as well as to discuss the role employees will play in securing the business.
Associates should be made to feel like they are truly part of the program with open dialogue and discussion through various means. This can include both push and pull training such as articles, newsletters, competitions, phishing tests, emails and presentations throughout the year. Effective communication is ongoing and can be done through discussion boards with direct contact to the security subject matter experts. Make some, if not all, of the security team readily available to address employee questions and concerns through a group mailbox that employees can use at any time. This will also give the security team good insight into the current threat landscape of the company as employees report suspicious activity and further their knowledge and undestanding of the secuity threats by asking questions.
Test your employees with real-world scenarios. Employees are going to be receiving real phishing threats in their email box so why not test how they would respond in the event of a real malicious message in a controlled environment through real hands-on experience? This in turn will make employees fully aware of what they clicked on was a test and could have had detrimental effects if it were real. And from a security awareness program perspective you will gain measurable metrics that can be communicated to the security team and the company.
Don’t just base your program around policies and requirements. Survey your audience and find out what their security concerns are, both at work and at home, and what they want to see and hear from the security team. A survey can also be utilised to gain metrics on the current security position of the organisation and progression year over year when the survey is conducted. When employees see their areas of concern being addressed, you will grab their attention and they will feel like an integral part of the whole process.
Ensure that you consider your audience when creating security training content and tailor it accordingly. Some groups will have more knowledge than others, and each training and communication should reflect that. Don’t assume all your employees aren’t technical because if you take that approach you will lose the attention of those who are. Also, give your employees the ability to do something when they notice something suspicious by offering numerous reporting mechanisms and giving them the background knowledge necessary to make that determination.
Creating a culture of security aware employees is a big task and can take a lot of time and effort. If you cannot spare a full-time employee to do this task, then a committee of security liaisons could be established to be the ambassadors for security through different sectors of the business. This helps create an even larger security network within the company with active participants endorsing security on your behalf. Security is truly a company effort with all hands on deck, with the security team playing a crucial leading role as specialised subject matter experts in their areas to help implement an impactful and lasting cultural transformation. There are only so many people that are employed as part of the security team, but it can be in the company’s best interest to turn every employee into a skilled security participant that can be leveraged to have more eyes and ears on the threats.
While security tools have always been considered a necessary part of a security program, it is also imperative that security awareness now be considered a requirement as well. Implementing cultural change can be done by ensuring employees have enhanced protection and security through increased security awareness amongst employees. Every employee should be prepared to play a role in securing themselves, their company and its assets. Security awareness is a crucial aspect and enabling all employees and organisations in your company to work together will help to achieve a sustainably successful security position for your company.