When it comes to data security, it is a widely accepted fact that humans are the weakest link. Unlike computers, which do what they are programmed to do, and nothing more, humans are careless, curious, accident prone, gullible, and in some cases, mischievous.
To be fair, in most cases the reason why our employees click on malicious links or share sensitive data with unauthorized parties is because we failed to provide them with an intuitive data security framework to follow.
Even when we provide security awareness training, it usually delivered once in a blue moon – often via a PowerPoint presentation that would put most people to sleep. Creating a culture of security is not something that will happen quickly or organically.
We must persist in creating the right conditions in order for it to flourish. And what are those conditions? Firstly, it needs to deliberate, in the sense that creating the culture itself requires formalized policies that ensure that regular training and security-related activities are adhered to.
Secondly, it must be disruptive in the sense that security best practices cannot be easily ignored or forgotten about. Thirdly, creating a security culture should be fun, engaging, and rewarding. A data security program that is fun, engaging and rewarding you say?
Yes, I know, that’s a lot to ask of your security team, but it is possible. Anyway, let’s take a closer look at some of the core challenges we must overcome to create a culture of security.
1. Instill the Notion that Security is Everyone’s Responsibility
Many people still have this idea in their heads that data security is the sole responsibility of the IT department. However, given that employees are generally considered to be the weakest link, this is clearly not the case. In fact, in today’s technological paradigm of distributed multi-cloud and hybrid IT environments, it would be simply impossible for even the most experienced IT security professionals to effectively keep their data secure without the cooperation of all members of staff, including C-level employees and executives. This must be made clear to everyone, and all security policies must be designed with this notion in mind. We must also do what we can to eliminate the “us versus them” mentality, which requires uniting people under a common goal.
2. Develop a Comprehensive Security Awareness Training Program
This is the most obvious part of creating a security culture. All employees and relevant stakeholders must be given clear, concise and comprehensive security awareness training. Record and upload the training sessions as well so that employees can watch the video at a later date if they need to refresh their memory on a given subject.
For the sake of context, provide real-life examples of data breaches, including information about the causes and consequences of the examples provided. As mentioned previously, the training should be fun and engaging – something that I will cover in more detail later in this article. A common technique that is used to ensure that security is always at the forefront of employee’s minds is to put up relevant posters, which might include cartoons, catchy phrases and acronyms, in areas that are visible to all members of staff.
In addition to educating regular employees, all software developers and testers must be trained extensively on application security best practices. Remember, security awareness training is an ongoing activity.
3. Make Sure That You Have a Secure Development Lifecycle (SDL)
An SDL referrers to the processes and practices that need to be performed before rolling out any software or system releases, and includes threat modeling, security testing and other relevant activities. Many organizations base their SDL on the Microsoft SDL, which you can find here.
4. Reward Success More Than You Punish Failure
In order to maintain the enthusiasm of your employees, look for opportunities to celebrate their success. At the end of every training session, thank your employees for their participation. Consider offering them a reward of some sort – even if it’s just a piece of cake. You may even want to consider offering them a cash bonus – at least until you are satisfied that your core objectives have been achieved.
Do what you can to turn security awareness into competition. If you’re carrying out mock phishing attacks, be sure to reward those who were able to identify the phishing emails in a timely manner. While it is important to raise awareness to those who failed the test (assuming anyone did), try to keep the criticisms as constructive as possible. It’s important to bare in mind that we all have our off-days.
Given the shortage of cyber security professionals, it makes sense to provide opportunities to those who show an interest in data security. Perhaps offer them additional training and encourage them to consider moving into a data security role within your organization. If you haven’t already developed a suitable training course for them to participate in, consider enrolling them on a training course provided by a third-party. Sure, it all costs money, but it will likely pay-off it in the long run.
5. Make Security Fun and Engaging
Let’s face it, data security a dry subject. In order to ensure that employees are willing to show interest and actively participate in your data security program, subjecting them to lengthy and tedious presentations is perhaps not the best way of achieving your goals. Of course, making security fun and engaging is not an easy task.
You will need to think carefully about who should be appointed to carry out the training sessions. The appointed member of staff should be someone who is extroverted and likes to crack jokes. Give them permission to goof around deliver a training session that is fast-paced and energetic.
Try to ensure that the training sessions are interactive and relevant, and include games and quizzes to ensure that the participants are paying attention. As mentioned previously, organizations may choose to put up posters that remind employees of security best practices.
A quick Google and you will find hundreds of data security memes, with mildly humorous pictures and captions such as “Yeah, if we could just stop clicking on phishing emails, that’d be great!”, or “Passwords are like underwear, they shouldn’t stick to the wall!”. Granted, they’re not exactly rib-ticklers, but as long as they stick in people’s minds, that’s all that matters.