The world is changing
Organizations today are faced with serious IT security challenges in the face of an alarming rise in cyber threats. In response, organizations mostly rely on cybersecurity procedures and technology to protect their organization and systems. There is surprisingly little focus on how to enhance this protection through employees’ behavior.
As Todd Thibodeaux, president and CEO, CompTIA (Computing Technology Industry Association) points out, “We can’t expect employees to act securely without providing them with the knowledge and resources to do so. Employees are the first line of defense, so it's imperative that organizations make it a priority to train all employees on cybersecurity best practices.” (source).
Why is cybersecurity awareness so important?
Of all factors within our organisations and systems, our people are most likely to expose us to risk. We need to change the way we approach the human security risk factor, to protect our people in order to protect our organisation, through cybersecurity awareness. But what exactly is ‘cybersecurity awareness’ and why is it so important?
Cybersecurity awareness is essential to creating a long-lasting security culture, where employees not only understand, but also act according to good security practices and where security conscious behaviour is a natural and integrated part of the working day.
Building a security culture within an organisation is a long term, sustained effort which requires ‘Reminding’, ‘Repeating’ and ‘Rewarding’ employees. The effort must be clearly supported and led by management. According to Todd Thibodeaux, “Companies cannot treat cybersecurity training as a one and done activity. It needs to be an ongoing initiative that stretches to all employees across the organization.”
Only by being ‘reminded’, practicing through ‘repeating’ and being ‘rewarded’ will employees learn to understand the cybersecurity challenges faced by the business and the important role they themselves play in protecting their organization from potential threats. Employees must gain specific (relevant to their role in the organization) awareness of what may seem to be an innocent action, may in fact open the door to the very real threat of becoming the victim of a cybercriminal. Seemingly innocent actions could include clicking on links, opening email attachments from an unknown sender, sending confidential information in plain email text instead of using encryption, sharing a password with a colleague over the phone, or charging a non-company mobile phone via an USB plug in a company PC.
This caution must become a standard mode of operation for employees without impacting customer friendliness or their collaborative attitude towards partners or colleagues. Rather, this cautious attitude should enhance the organizational image as a trustworthy partner for electronic communication and safe haven for the sensitive data of its business partners.
Benefits of applying awareness to your security initiative
By understanding the importance of, and investing in, cybersecurity awareness as part of your security initiative, your employees become an active part of the journey and solution. The awareness will:
- make security tangible and relevant to employees in their daily work
- ensure that the security maturity level is gradually increased
- ensure that leadership on all levels understand the important role they play in showing clear support, involvement in – and adherence to the initiative
- lay the foundation for a lasting security culture, anchored in the core values and strategy of your organization.
What can you do to lay the foundation for a security mind-set?
Changing the mind-set to establish an IT security culture is a long term effort and can be difficult to execute - hence it is often not prioritised in the company strategy. However, some concrete actions you can take to ensure success in your cybersecurity awareness initiative are:
- identify and engage relevant stakeholders early in security initiatives
- conduct impact assessments to address all angles that the IT security initiative affects in your organization
- define KPIs on short and long term for security maturity and baseline current level
- design and implement a security awareness campaign, containing a:
- specific Communication, Engagement and Training approach
- training execution targeting relevant audience groups
- measurement approach for long term sustainment to support the KPIs.
In NNIT we believe that employee behavior and actions are strong elements of a successful security initiative.