Cybersecurity isn’t a compliance checklist that can be reviewed once a year and forgotten about. But sadly, that’s how cybersecurity is still approached by many organizations today, according to a panel of experts who spoke at this year’s MapleSEC Satellite Session – Learning through Training program.
“We tend to see the user as the problem, as the thing to fix,” said Kevin Magee, chief security officer at Microsoft Canada. “But it should be about ‘how do we safely enable that user?'”
He also described the mindset an organization should have around cybersecurity, noting it should extend “from the boardroom to the server room.”
Kim Schreader, principal, national cybersecurity professional services at Telus, noted the importance of providing employees context to help them understand how their actions – such as falling for phishing attacks – impact the rest of the organization.
“Measurements are also important,” she added, pointing specifically to statistics that highlight clickthrough rates for phishing attacks, and the number of reports that users actually file when they spot something suspicious.
Kathy Macdonald, principal and instructor at the University of Calgary suggested leadership perform exercises using headlines ripped from the real world. Magee agreed.
“It’s fascinating what you do learn when you find those holes in your organization,” he said. “When they see leaders prioritizing these sessions that says more than anything that these discussions are important.”
When asked what is the preferred response to a user that is a “serial clicker,” Ruth Godfrey, manager of cybersecurity policy and awareness and training for B.C. Hydro, said a conversation can go a long way.
“At B.C Hyrdro, a conversation is the first line of response to someone who clicks or is a repeat clicker in a phishing exercise,” she said.
Macdonald also suggested repeat offenders lead a workshop or share their personal story – if they’re comfortable doing that – with the rest of the team.
You can watch the entire conversation above.
=====
Moderator: Kelvin Coleman, Executive Director, National Cybersecurity Alliance
Panellists:
Ruth Godfrey, Manager, Cybersecurity Policy, Awareness and Training, BC Hydro
Kim Schreader, Principal, National Cybersecurity Professional Services, Telus
Kevin Magee, Chief Security Officer, Microsoft Canada
Kathy Macdonald, University of Calgary, a 2020 Canada’s Top Women in Cybersecurity Honouree