Last week, my 9-year-old son brought home materials on digital citizenship and cybersecurity, and proceeded to tell me the dangers of clicking on links or opening attachments from strangers. When he noticed that I hadn’t installed an update on my iPhone, as evidenced by the red circle on the App Store icon, he called me on it. If elementary schools have been able to incorporate the importance of applying software updates and phishing-awareness into their curriculum, should workplaces be doing any less?
It would be easy to become numb to the almost daily data breach headlines, submitting to a sense of inevitably. It is also tempting to rely exclusively on technology tools, technology departments, or ‘others’ to protect us from cyber threats. In risk management, these strategies would qualify as acceptance and transference respectively; neither are viable options for accountable organizations.
October is National Cyber Security Awareness Month, an annual campaign to raise awareness about the importance of cybersecurity. While effective education on how to avoid being caught in the web of cyber deceit is ideally perpetual, this month presents a perfect opportunity to bring the topic to center stage in your organization.
Here are five ideas to get you started:
1. Launch the awareness campaign with a message from senior leadership that reinforces the importance of cybersecurity vigilance and the value it holds for staff, customers and the organization.
Tone from the top is powerful, and having this message come from a department other than IT is ideal.
Consider sharing (where possible) incidents or close calls that have place over the past year, either internally or externally, driving the ‘why’ behind cybersecurity home. Alternatively, create a fictional 'what if' scenario and use a story format to paint a post-breach picture.
2. Remind staff about your organization’s acceptable use policies.
Highlight recent changes to the policy, the rationale for making the changes.
Consider having staff sign off that they have reviewed and understand the policies. Adding a brief web-based quiz to the sign-off process can help identify areas that staff find confusing and where further training may be called for.
3. Train staff on the latest ways to stay secure in the workplace, and at home.
Conduct periodic engaging training throughout the year live,via webinar or through e-learning.
4. Test staff on their understanding of the content provided through simulations.
Platforms are available enabling companies to deploy their own simulated phishing campaigns. Many include reporting that can be used to measurably demonstrate effectiveness (i.e., ROI) of training on actual user behavior over time.
It is critical that simulations be done in a non-punitive manner, and that HR is involved prior to launching them.
5. Ensure staff know exactly how to report incidents and suspected incidents.
Implement a ‘one click’ phishing reporting system. There are buttons that can be added to Microsoft Outlook, for example, essentially allowing suspicious email to be escalated to the IT department for analysis in one click.
Create a dedicated incident reporting email box and/or extension that is regularly monitored, and well publicized throughout the organization.
Keep the information security team visible and approachable, making it more likely that staff will come forward with risks. Staff who accidentally trigger a cyber situation may not report an incident out of a fear that they could lose their job, for example.
An engaged, aware and educated user population is an incredibly powerful force to complement your technical cybersecurity defenses; invest time in developing their capabilities today.