Recent research regarding online security shows good news and bad news.
First, the good news. According to a Cybersecurity and Infrastructure Security Agency (CISA) report, most people (78%) consider staying secure online a priority. In addition, 57 percent of the population say they are worried about cybercrime.
Now the bad news, 46 percent of end users feel frustrated with staying secure online, and 39 percent feel that information on how to stay secure online is confusing. Finally, 43 percent of respondents had never heard of multifactor authentication.
Which leads to a sense of urgency in 2023 to make online security easier. This year marks the 20th annual Cybersecurity Awareness Month and the Cybersecurity Infrastructure Security Agency (CISA) is launching a new awareness program that will encourage 4 simple steps every American can take to stay safe online. These are simple actions we should all take not only during Cybersecurity Awareness Month, but every day throughout the year.
Those four behavior areas highlighted by CISA and the National Cybersecurity Alliance this October include:
- Enabling multifactor authentication
- Using strong passwords and a password manager
- Updating software
- Recognizing and reporting phishing
I have seen several other lists that add in a few other important behaviors like backing-up your data and having a plan in case of an emergency, but it is hard to argue with this basic list of items that everyone should act on for both home and work.
Note that studies also show that people who take cybersecurity seriously at home, generally provide better security of corporate data at work. Also, the Covid Pandemic has led to many people working in hybrid environments with more staff working from home at least part of the week.
Do’s and Don’ts – Enterprise Security Awareness Recommendations to Consider
So how can public and private sector leaders get their enterprise teams to follow these guidelines? After examining numerous reports, tips, best practices, articles and white papers onwhat works and what doesn’t, here are my ten top recommendations to consider when trying to build or improve your security awareness program – both this October and year-round.
I’ve divided this section into two lists – the Do’s and the Don’ts of enterprise security awareness training programs.
Five DON’Ts:
- Don’t stay with your status quo. A cyber awareness program with content that hasn’t been updated in years is a waste of employee’s time. Global teams hear this message from staff loud and clear.When I was CISO In Michigan, we got rid of our old end user awareness program and started over from scratch. Why? Our old awareness program was deemed to be boring, irrelevant, too long, outdated and even “Death by Powerpoint.” We moved to a new set of solutions for cyber awareness and used the Michigan Cyber Range for technical training.
- Don’t rely solely on videos or Powerpoint slides as the primary channel for awareness programs. Several studies have found that interactive materials that engage end users are more effective in achieving results than a frequently used tactic of using a series of awareness videos. The truth is that many employees don’t pay attention to videos. Some even start the videos, leave their desks to use the restroom, talk to neighbors or get coffee, and come back to see if the video is over.However, fun, user-created videos, such as those developed as a part of this EDUCAUSE awareness tools, can help as supplemental content to create energy and excitement at the office.
- Don’t confuse cyber awareness programs with security training. Ira Winkler makes this point very well in this Dark Reading article: “Security training provides users with a finite set of knowledge and usually tests for short-term comprehension…. Security Awareness programs strive to change behaviors of individuals, which in turn strengthens the security culture. Awareness is a continual process. It is not a program to tell people to be afraid to check their e-mail. The discipline requires a distinct set of knowledge, skills, and abilities.”
- Don’t forget anyone, and don’t make security awareness an optional extra. Everyone has a role in improving security. The entire enterprise needs security awareness. The weakest security link is usually an employee clicking on bad links.
- Don’t focus solely on compliance or make awareness just a “check the box” exercise. No doubt, you need security awareness programs for PCI-compliance, HIPAA-compliance, complying with federal regulations or other compliance reasons. But cybersecurity awareness needs to be a process with constant improvements and adaptation, as your technology and business changes. The main goal is to improve the security culture in pragmatic ways. Culture change takes years and hard work, so this won’t be a simple endeavor.
Five DOs:
- Ensure executive support and management buy-in. End user awareness must have the full and vocal support of top executives and the middle managers in order to be successful. When top executives lead by example and participate themselves, this sends a clear message on the importance to your team.. Leading by example is key. Occasional prodding of key execs and managers will be necessary to keep things on track.
- Make it fun – use gamification and interactive content, if possible. Brief, intriguing, “sticky” content is also key. The more relevant and timely the content is, the better. Yes, remind staff of important security policies. But also inform your people about risks, such as spear-phishing techniques, or something new to help them online in their personal and professional lives. Add in a competive component that will increase engagement. .
- Include posters, newsletters, email tips, blogs and reminders. Different people learn differently. There are numerous sources to help provide new and refreshing security information, such as the free resources from Multi-State Information Sharing & Analysis Center (MS-ISAC).
- Focus on changing behaviors. Relate cyber awareness to personal life, family and home. Our goal is to change culture and improve security. This can only happen if people make good decisions and act in ways that reduce risk each and every day. Also, many studies have shown that employees pay more attention if the awareness materials can be used (and even shared) outside the office – at home with family and friends.
- Solicit end user ideas, encourage feedback, measure success and growth of program. Make sure that your awareness program is measured. How many users actually complete the training? What did they like? Did they learn anything? Have behaviors changed? Also, ask for new ideas and suggestions to improve. Encourage creativity. Provide mechanisms to get real-time data from staff.
Final Thoughts
No doubt, this is a call for “back to basics” in online security for 2023. And the good news is that we can all help.
Becoming a cyber ambassador for good – by helping non-profits, or schools or churches, or senior centers, or others, is a great way for individuals and groups to give back, learn and support your community. You may actually help your career at the same time.