This post was originally published on the ENow Software Blog, you can view the original post here
Many organizations regard their people as their greatest asset. There is no disputing that the ability to hire great talent is a critical component to success, but in today’s pandemic-work-from-home world these great assets could also pose the greatest risk to your business. No amount of technology can account for human nature. You may already have invested in the best security solutions, but all it takes is a single click of a phishing email. I like to refer to this as a people problem – something that technology cannot solve entirely.
Organizational Change Management (OCM) practices have taken off in recent years and I have long been of the opinion that the most successful projects are those with heavy OCM involvement – I’ve experienced it for myself. For the longest time though, we’ve had the tendency to only involve or interact with the user community when we’re about to change something, often times going to great extents to avoid this interaction. Bad actors are constantly evolving and maturing their methodologies. Doesn’t it make sense for us to evolve our awareness and user education programs as well? I have previously written about this and thought I would go into a little more detail.
Security is everyone’s responsibility
Security is everyone’s responsibility – by this I don’t mean everyone in the organization should also become cybersecurity professionals, instead I mean everyone has a responsibility to be diligent in their daily duties and informed about active and emerging threats. I know many organizations already have user education programs in place that typically involve some outdated computer based learning modules that are a required part of employee onboarding. Sometimes these need to be completed once a year. My opinion of these is that in many instances they do nothing more than “tick a compliance box” and are at best a 1999 solution to a 2021 problem. Similarly, some organizations run internal phishing campaigns to test their user community – these are great except when the results of these campaigns are published as top 10 name and shame lists or worse still for disciplinary action instead of being used to educate and empower. It is our responsibility as technologists to help keep our user communities informed and arm them with the knowledge they need to make the right decisions.
Some simple things go a long way
I believe the best approach here is a program that is iterative in nature and uses a combination of process and technology. Engagement and buy-in from the user community is key – fear mongering will not achieve the desired results. It could start with something as simple as a regular company-sponsored lunch and learn – yes, there is some investment required, but if you consider that in 2020 the average cost of a data breach was $3.86 million it will be worthwhile.
Developing a security awareness program isn’t something you can do overnight, and it certainly isn’t something that you can ‘set and forget’. Here are some additional tips that might be useful when planning your program or to help improve the program you already have in place today:
- A successful awareness program is not owned solely by Infosec or IT, it involves multiple areas of the organization. Create a steering committee to lead the program, include folks from HR and other relevant parts of the business. Marketing involvement can be particularly fruitful as they can help ‘market’ the program to your user community.
- Continuously evolving and up to date messaging is very important and should cover present day threats, not filled with outdated information. My previous post on phishing during covid has some good examples of how bad actors have used world events to craft their attacks.
- While certain threat vectors are more prevalent than others, it is important that your awareness program takes a more holistic approach and covers all aspects of security. It should, of course, focus on threats relevant to your business or organization.
- Start small. There is no need to invest in expensive tooling in order to have a successful awareness program. Cultural change within the organization is very important and you can’t buy that.
- Educate and empower, don’t name and shame.
Lastly, there are some great tools you can use to help make your life easier. The Report Message and Report Phishing add-ins for Outlook and Outlook on the web are a great way to empower users to easily report false positives or false negatives to Microsoft for analysis. It is important however to educate users on the process, the difference between a false positive and a false negative and how their reports are used.
If your organization has Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, you can use Attack simulation training in the Microsoft Security Center. These simulated attacks are a great teaching aid when used correctly.