Since the majority of security breaches can be traced back to current employees, prevention relies heavily upon the proper cultivation of a risk-aware culture. But where do you start?
Most organizations provide security awareness training as part of their onboarding that begins and ends with a series of pass-fail computer-based training modules. Once an employee completes the assigned courses, they are deemed equipped to deal whatever they may encounter in their daily work-life.
The “Once-Is-Enough” Is Not the Message You Want to Convey
While the time-and-cost efficiency of this approach is indisputable, the actual long-term impact of this once-is-enough approach falls short of the greater goal of a risk-aware culture. Fostering the desired enterprise-wide mindset is less about course curriculum and more about having an impactful enough message that creates a constant state of vigilance.
IT Security Awareness training is not only about communicating your organization’s IT policies and procedures. Nor is it about handing out a checklist of rules, regulations and legislation that apply to an employee’s role within the organization.
Creating a Culture of Guardianship
With an ever-evolving threat landscape, it’s not even about knowing the tricks of the trade. It’s about creating a sense of guardianship: by developing a culture that involves new and regular training and education – in combination with proper messaging throughout the organization – individuals begin to recognize their own role as a gatekeeper.
Here are 5 things your organization should consider in order to keep security top-of-mind:
- Change the Mindset
Transition your messaging to change the mindset from one of rote following of policies and procedures to one of constant vigilance. By collaborating and learning from security advisors, your training and education should be constant, dynamic and expected.
- Have a Compliance Code
While most organizations have a business code and a code of behaviour to distribute as part of the onboarding process, distribution of a security compliance code sets the expectation that all employees must maintain an awareness of current security protocols.
- Perform Routine Risk Assessments
By having a thorough look at your current security risks – identifying those things, situations, processes, etc that may cause harm to the organization – you create a baseline that you can measure against. As they say, if you can’t measure it, you can’t manage it. Creating a regular routine around this process reinforces the message that nothing is static in the threat landscape and that you are measuring for improvements.
- Train in Regular, Shorter Intervals
The benefits of spaced learning have been widely studied and proven. An individual’s ability to recall what they’ve learned is a measurement of your training’s successful outcome. And so rather than having computer-based-training that can be completed in one sitting – and relies on short-term memory – offer a blended learning approach that encourages true engagement with the curriculum.
- Embed Security Awareness Messages at Multiple Levels (ranging from top level management all the way to line workers)
While the channel it is conveyed through should be carefully customized to the target audience, embedding risk mitigation messages across your organization helps to strengthen the widespread acceptance of your new cultural norms. Guiding behaviour so that security awareness education becomes the “new normal” will reduce resistance by demonstrating its priority in the organization’s business model.