Cybersecurity technology has come a long way too; however, security researchers are increasingly finding that most breaches are related to human factors such as phishing, which stem from poor security judgment and careless employee attitudes and not necessarily due to the limits of cybersecurity tools.
Gartner believes that time has come for security teams to balance their security investments across both technology and human-centric elements.
A security awareness program is perhaps the most crucial, human-centric element in the overall cybersecurity mix.
The core element of any training program is content.
Try to tailor content around different job roles and respective security maturity levels.
Lack of leadership support can hamper efforts to deliver security messages across the organization.
On the flip side, organizations with the most mature security programs are the ones that have the greatest leadership support.
Having the leadership team fully onboard can have a significant impact on your program, given that security culture is often influenced from the top down.
A security awareness program shouldn't be treated as a once-a-year, check-the-box activity.
Security teams must take cues from sales and marketing and continuously try to improve their campaign assets and communications, present security messages in contextual and meaningful ways, and be persistent with their efforts.
The idea is not just to build awareness, but to reinforce the message until there is a positive change in the security mindset and behavior among employees across the organization.
Phishing simulations enable security teams to identify vulnerable employees and train them in the moment.
Surveys help the organization understand the attitudes, opinions, and feelings that employees carry towards security.
Survey results are helpful in reporting progress to stakeholders, building confidence in the leadership team and winning incremental investments for your program.
Security teams must accept that learning doesn't happen at a single point in time during a classroom exercise.
It also entails social and cultural aspects - things that people imbibe when they see how co-workers handle security problems, and how often they report security incidents.
Games and contests; incentives such as free movie tickets, and tools that make reporting of potential scams easier, such as deploying a phish alert button or a hotline to the security team.
Informal: Informal training can include things like email newsletters, watching videos and online interviews, posting a security channel on the intranet or instant messenger, using a phishing awareness chatbot, etc.
Security awareness programs should never impart the feeling that the goal is to make users fail, to trick them, or expose them in a bad light; if they feel as such, then it's possible the security team will be perceived as an adversary or obstacle.
He is chief evangelist and security officer for KnowBe4, provider of security awareness training and simulated phishing platforms used by more than 65,000 organizations around the globe.
This Cyber News was published on www.cybersecurity-insiders.com. Publication date: Wed, 06 Dec 2023 15:43:05 +0000