The Risk - No one doubts that the digital security posture of an organisation is now a board level issue, and that’s a big change from five years ago. However, Executive anxieties need to be matched with a long-term structured strategy that everyone in the company ecosystem is willing to invest in so that the highest standards of Information Security are maintained. Inevitably, this will require a change in company culture as most staff members view this issue as belonging to the IT Department. They often forget that the consumption of IT Services is often the point of maximum vulnerability for the company. It is here that the user can compromise the security of the company by becoming a victim to phishing tactics or acting in an inappropriate or negligent manner, regrettable situations that expose the organisation to cyber risk.
The Lessons - So what are the lessons we can learn from implementing an appropriate strategy to changing human behaviour in this area?
Well the first is to recognise that changing culture in Information Security practices is no different than any other change management process within a company. It is as difficult as any other change management process requiring significant effort and resources to make an impact. Another lesson is that quality matters. Too often staff security training is a ticking the box exercise, with very little energy being expended on planning or on content. The latter is one of the most important considerations in determining the success of a culture change initiative. Take e-Learning content for example. The industry is awash with boring, bland, and often dumbed down IT Security training courses. It is no wonder that there are cases of low staff participation that necessitate significant management intervention. E-Learning courses should reflect the digital threat that we all need to combat. Another key lesson is ensuring the correct targeting of high-risk groups. Rather than “blanket bombing” all staff with general cyber security communications and policies, organisations should identify high-risk staff groupings and provide tailored messaging and surveying. Examples of these staff groups would be privileged users, such as Administrators and Information Asset Owners. Clearly, the communications sent to these high level positions would be more detailed than what would go to the overall user population.
In many cases companies are struggling to get messaging out to everyone. So a shift in priorities is required. Be prepared for the long haul. The changing of IT Security culture is a multi-year project. It’s not possible to deliver all the policies and education that are required in a short period, as the user base will become fatigued.
The best approach is to build up your communications over time. Planning, communication, implementation and measurement, to gauge progress and the Return on Investment (ROI), are all very important elements of a successful staff security training programme and InfoSec Skills is here to help, with online Security Awareness training for staff, management reports to inform attendance, grades and templated forms/documents to help plan, communicate, execute and measure change in behaviour.
Why should you attend?
Because Information Security is everyone’s responsibility - Because cyber security threats have increased significantly - Because training is an ISO27001 requirement (A.7.2.2 Information security awareness, education and training) - Because it is your company policy.
No previous IT experience is necessary.