IT security professionals can be categorized into two distinct groups: those that believe security awareness programs are worthwhile endeavors and those that think that they are a waste of valuable time. I am of the ilk that corporate security awareness programs are not only modern necessities but are competitive differentiators. In theory, security awareness is a great idea; however, like many great ideas, they can suffer from poor implementation and are consequently ineffective and utterly useless.
Much of the blame for current security woes has fallen squarely on the shoulders of security vendors for relying too heavily on old technologies (see antivirus signatures) and failing to evolve their solutions to combat today’s threats. While this is certainly a valid grievance, it is worth noting that corporate IT pros are equally culpable as we have failed to modernize security awareness programs (amongst other things — but I won’t focus on those. Trust me our list of security sins is pretty long). How can we possibly bash vendors for failing to keep up with the times while we are still espousing the same garbage advice to our coworkers that we doled out in the early 1990s? You are probably familiar with gems like “only visit reputable websites” or “don’t go to porn sites, you’ll get a virus.” The backbone of many awareness programs is a long list of “dos” and “don’ts” (longer than Richard Nixon’s enemy list) that are read verbatim annually by an IT staffer who is about as enlightening and engaging as old Tricky Dick. It is time that we rethink how security awareness programs are developed and implemented; they need to be updated so they are relevant and relatable to your average employee. Quite simply, it is time for a transformation.
Drop the “user” label
I am unsure how this ivory tower mindset of “us versus them” evolved but it needs to stop immediately. Why IT pros refer to their fellow colleagues and co-workers as “users” (it is usually accompanied with malice and disgust) is beyond me. This label does nothing but promote division, distrust, and resentment between IT and the other business units (and we wonder why IT is left out of critical projects). To rectify this, IT professionals need to develop a genuine desire to confer a positive impact on their fellow colleagues for the betterment of the organization. People are the most important asset to any company; therefore, by ensuring that they are able to work safely and securely, we go a long way in guaranteeing future company growth and vitality. By promoting the “one” company attitude we dismantle any prejudices that existed and make the company stronger and more competitive as a result.
Lose the negative mentality
There is a widespread belief in the IT community, that non-IT staff cannot be trained to think securely. A common counter-argument of awareness programs is that there will always be someone “dumb enough” to open a malicious email attachment or leak their credentials due to a phishing attempt. I find it very disheartening when I hear fellow IT professionals refer to “idiotic users” as if we are exalted royalty. It’s time we realize that we are the idiots for failing our business counterparts by implementing such shoddy awareness programs and treating them as second-class citizens. Yes, there will always be someone that may be fooled by a social engineering attempt but that is not a valid reason for not deploying awareness programs. Following that logic we should not be rolling out antivirus, intrusion detection systems, firewalls, or any other security technology because they can be bypassed.
Try not to focus on what security awareness cannot do; instead, focus on what it can accomplish. The focus should be on risk management. The job of any IT security pro is about mitigating IT risks. Like any other threat that we face, we will never be able to completely eliminate the risk that human behaviour poses. Comprehensive awareness programs enable companies to lower the collective risk that social engineering and malware pose.
Make it relevant, relatable, and engaging
Michael Santarcangelo, a renowned advocate of awareness initiatives, eloquently defines security awareness as “an individual’s realization of the consequences of their actions, viewed in the context of intention and impact.” Most people do not fully comprehend the connection between the actions they take online and the potential negative personal impact and consequences that can result. By only admonishing employees for what they do wrong, the program will not be effective or well received. We need to embrace the role of coaching and teaching safe computing.
Through relatable and engaging examples and discussions, we can develop their thought process and mental decision framework so they are able to navigate the online world securely. Empower employees so they are not “targets” but rather in command of their online experience. Stimulate their thinking by encouraging them to think critically about the psychology behind many online threats. Be a catalyst in the development and improvement in the awareness and training of your colleagues. The awareness program needs to be ingrained in the corporate culture instead of being a once-a-year checklist item. Conduct monthly lunch sessions that focus on safe computer use at home, develop a corporate awareness section on the company intranet, or send out weekly security tips. This constant reinforcement of awareness, training, and practice will lead to a security-minded workforce.
Security awareness alone cannot provide adequate protection but coupled with proper processes and timely security solutions, will drastically improve the security and risk posture of any organization that takes the time and effort to properly develop one. By transforming how your security awareness program functions you gain a competitive edge. Remember to treat your fellow workers with the respect they deserve. They are more than capable of being safe and secure online — their teachers’ just need an attitude adjustment.