SAN FRANCISCO — There’s lot of advice how to improve employee security awareness: E-mail reminders, videos. newsletters. intranet, posters, games …
One thing is missing from all these articles: How to create an effective security awareness plan. But a plan is essential, infosec pros were told at last week’s RSA Conference here.
“You’re truly not mature until you’re not only changing behaviour and culture, but you have the framework to demonstrate that change,” said Lance Spitzner, a director of security awareness at the SANS Institute.
An awareness plan, he said, has to answer three questions:
—Who are you training? A new program will likely start with “everyone,” but as your program matures identify different groups in the organization that have higher risks. For example, software developers, management, finance department, human resources, help desk, interns;
—What behaviours do you want them to change? This list may include falling for social engineering/phishing/phone attacks, using/re-using weak passwords, or accidents, which includes everything from misconfiguring servers to using autocomplete in the e-mail To: field so mail goes to the wrong person.
(By the way, Spiztner pointed out, according to the annual Verizon data breach report sending email to the wrong person was responsible for 10 per cent of all data/privacy breaches.)
Spiztner emphasized the importance of using data from managers or the IT department to create the most common and important list of bad behaviours. This will be a list of the biggest risks. All you have to do is manage that behavior;
—How will you change those behaviours? Awareness training has to be conducted at least every month, he said. (IT patches software every month, so why not train as often). Organizations should use a variety of communications: E-mail, posters, newsletters, intranet, podcasts.
Remember, Spitzner said, some solutions may be simple: For password problems, for example, the company can buy enterprise-grade password managers, and allowing staff to use easy-to-remember passphrases. For email addressing problem, urge staff to check the To: field before pressing Send.
Think about putting at least one person with communications skills (from the PR or marketing team, or someone with an English degree) on the team creating awareness messages. Too often these teams are compose only of what Spitzner called “security geeks — who are the world’s worst communicators.”
Worried about getting through to millennials? Make sure at least one is on the awareness team.
(By the way, Spitzner said, make sure everyone in the company gets awareness training, including the janitors. You know, the people who might empty the sensitve documents in the “to be shredded” bin into the regular garbage bin, which is then left outside …)
Finally, measure progress in the change in behavior over time through metrics: What are your top human risks? What are the top behaviours that manage those risks? These are among the most important things to measure — not how many people completed training, or how many lunch-and-learns were held. Those are merely compliance metrics.
Some questions have to be well thought out to get at what’s really happening. (Don’t ask, “Do you share your passwords?” Instead ask, “On a scale of 1 to 5 how likely is it that a co-worker shares their password with you?”).
Focus on a few important metrics, Spitzner added, not on collecting a lot of numbers.
Infosec pros, he added, may also have to create strategic metrics for the leadership team to answer questions like, “Are we improving our ability to detect/respond to incidents over time?”
There are three things that will ensure the awareness program is effective: Leadership support (“The awareness team needs doors opened”)l; don’t measure success by the size of the awareness team’s budget, but by the size of the team (three full-time people for an organization of 5,000 employees or more); and the team should have people with soft skills or partnerships with the communications department.
For more see the SANS Institute’s 2018 Security Awareness report (registration required)