Companies still fail to prioritize cybersecurity awareness strategies, leaving the “human factor” open to criminals looking to exploit and extort.
The lack of a human firewall means that people have become the primary attack vector for cyber attackers. While companies are increase in expenses on cybersecurity tools, such as our latest searches demonstrates, there is a disturbing lack of strategic direction and underinvestment in security awareness programs.
With many cyber criminals relying heavily on highly efficient versions old-fashioned tactics like phishing, a lack of resources means employees are unable to protect themselves and their business from attack. It’s a situation that academics describe as ‘critical’.
Security awareness is far from mature in today’s businesses
By using our Security Awareness Maturity Modelnew research from SANS shows that on a third (38%) of companies in EMEA have “non-existent” security awareness programs. Employees have no idea they are a target or that their actions have a direct impact on security, are unaware of or do not follow organizational policies, and are easily attacked.
Close to a third (29%) of organizations have reached the basic compliance-focused stage, where ad-hoc training programs address specific compliance or auditing requirements, resulting in a similar lack of understanding of policies and the impact of individual behavior.
Security awareness should be an integral part of the organization’s culture, going beyond behavior change to transform people’s beliefs, attitudes, and perceptions about cybersecurity. However, just a quarter of companies have a robust metrics framework aligned with the organization’s mission and leadership priorities to track and measure the impact of security awareness.
In fact, even when organizations have invested in security awareness professionals, our research found that more than 69% spend less than half of their time on security awareness. Only 18% are dedicated full-time to supporting their outreach program, without the time, scope or staff to properly fulfill their role.
The pandemic has exacerbated the situation, leading outreach professionals to report that the workforce was suffering greater distraction and being overwhelmed. In the tumult of containment, security awareness was not considered mission critical, and criminals quickly took advantage of this lack of focus. Today’s new workforce models also make security awareness across the enterprise a more difficult challenge, but one that must be addressed.
Supporting security awareness professionals to build better defenses
As our report revealed, several trends are affecting the impact of outreach programs. A clear indicator of the changes needed is that the most mature awareness programs have the strongest support from company management. So how can security awareness professionals in all organizations engage more with leadership?
1. Talk in terms of risk
Far too often, security awareness is seen as a compliance effort. To effectively engage leadership, focus on and use terms that resonate with them and demonstrate your support for their strategic priorities. Don’t talk about what you do, explain why you do it, and specifically demonstrate how security awareness effectively manages your organization’s human risk.
2. Create a sense of urgency
Does management perceive the human factor as a significant risk? Leverage data and statistics and work with your security operations center, incident response team, or cyber threat intelligence teams to better document key human risks and show how people are a key driver incidents.
3. Communicate impact
Spend two to four hours a month collecting information about the impact and value of your outreach program and communicating it to management. This information can include informal metrics, established key performance indicators, or success stories. Enable leaders to understand and see the value your program brings. For a framework demonstrating impact, explore our Maturity Model Indicators Matrix.
4. Document Security Team Divergence
Security teams are often technically heavy, but as a starting point, we recommended having a ten-to-one ratio of technical security professionals to human-focused security professionals. As mentioned, the human risk factor requires a human response and dedicated talent provides the levels of defense that today’s threats demand.
5. Break down your needs
Document all the steps and initiatives you need to take to make your security awareness program effective. These may include working with the audit and legal department for compliance purposes, partnering with human resources and communications for employee awareness and training, working with IT, developers and managers. other technical staff to design role-based training, etc. time employees need and demonstrating the value of those efforts, management will have a better understanding of the investment required.
6. Develop partnerships
The more you can partner with other departments in your organization, the more effective your team will be. Partner with Communications to help engage, communicate and train your staff. Work with human resources to help with new hires or to measure and create a strong culture. Collaborate with business operations to help analyze metrics and data points.
7. Keep it simple
Training doesn’t have to be complicated or expensive, like complex and fun computer training. It could be something as simple as leading a virtual webcast on ransomware, bringing in a guest speaker from law enforcement to talk about identity theft, hosting an Ask Me Anything online with leadership or start a fun scavenger hunt. What’s important is that you often engage the workforce effectively and that this training is simple to understand.
Consideration of the human factor goes well beyond compliance
Security awareness is at a critical time. Organizations can no longer justify annual training to check compliance boxes. All organizations need to understand where they stand Maturity modelso that they can then chart a course towards transforming their awareness culture, improving workforce behavior and reducing human error.
This requires leadership support urgently, and outreach professionals have a crucial role to play in ensuring leadership is engaged. However, it also requires that these same professionals be supported, properly resourced, and appreciated for their vital role. Only when security awareness is a strategic priority can organizations be confident in their cybersecurity credentials.
About the Author
John Davis is director of SANS Institute in the UK and Ireland. He leads a team of highly experienced cybersecurity professionals to provide practical information, advice and guidance on security best practices, including good cyber hygiene and bridging capability gaps to avoid blind spots in organizations. tusks.
At SANS, John brings together groups of people to create a clear mission in line with the known market need for cybersecurity that is smarter and more effective than ever. His three years at SANS are part of fifteen years of experience in business leadership, specializing in transformation, and twenty years of experience in some of the world’s largest organizations, providing IT solutions, collaboration tools and security services.
Featured Image: ©Sergey Nivens