People, process, and technology all contribute equally to balanced information security in an organization. The weakest link? People – always people. In the current cybersecurity landscape, the root cause of data breaches is often a successful social engineering tactic – namely, phishing. The same organizations wading through the aftermath of breaches are often adept at conducting onboarding and annual training to address security awareness education. Some even take it a step further and conduct annual social engineering testing to evaluate the impact of their training. However, yearly education and testing are not enough. Organizations need to adopt a mature security awareness program that includes altering the culture of security awareness in the organization.
Creating a mature security awareness program involves two important steps: assessing the current program and designing a security awareness road map.
Program evaluation. Evaluate your program by reviewing current policies and procedures related to security awareness. Items to evaluate include training, quizzes, posters, mock phishing exercises, and annual security awareness tests. The assessment should identify any gaps that can be correlated to incidents within the last year. Ask yourself how many times users have inadvertently introduced malware into the environment by visiting a malicious website or attaching removable media to company machines. Did they notify IT, or was the malware found via detective technical controls? Understanding the root cause of your incidents can reveal potential program gaps.
Security awareness surveys. Conduct an employee security awareness survey to identify how employees perceive information security. The survey results will provide insight into employees’ security awareness in all of your departments. Additionally, the survey should help uncover trends in the departments or among user bases that are less aware of security issues. Moreover, the survey should identify security-minded “power users” who can become advocates of the security program described in the second step.
Risk-based approach to training. Training is an integral part of a security awareness program. When addressing employee training, an organization should create a risk-based approach to training. Employees who pose a higher risk for cybersecurity, either through business function or through lack of education, should be trained more frequently. For example, a large number of phishing scams involve sending emails with attachments of fake resumes to employees in a human resource department. The purported resume is actually ransomware and encrypts file-share contents. Through their business function, human resource employees are considered a high-risk department and should receive additional training above and beyond the norm.
Frequent security awareness communications. In addition to classroom training, employees should receive weekly or monthly newsletters or emails reminding them of information security risks. The message should be simple and straightforward. It should provide guidance or clarification such as the definition of “phishing” and cues to look for in an email, how to politely confront someone who looks unfamiliar in secure areas, and whom to contact in the event of suspicious activity at a workstation.
Training re-evaluation. The organization should re-evaluate training at six, nine, and 12 months after formal training through an employee security awareness survey.
Employee testing. A pivotal portion of the security awareness road map includes identifying its effectiveness through employee testing. Traditionally, after formal training occurs, employee testing should be conducted in the form of tests or quizzes. More effective testing includes conducting monthly or quarterly phishing simulations targeting every employee who has a company email address.
The goal of the simulated phishing exercise is to further educate your workforce. That said, I recommended that you inform your employees a month or so prior to conducting this type of testing to include them in the process. This type of testing will provide you with a baseline to better understand what types of ploys your employees fall for, what departments appear to have a high fail rate, and what user bases not only pass the simulation but also appropriately report the phishing email to IT.
Tracking the metrics over time can answer the question of whether security awareness is improving in your organization. The metrics also will allow you to start implementing corrective actions for those users who continually fail the simulated phishing exercises.
In addition to the simulated phishing exercises, conducting annual social engineering penetration tests is also recommended. This test should be conducted to identify to what extent an attacker could access your critical data in the event an employee clicked on a URL, opened a malicious document, or did not properly validate the identity of a visitor. It also tests the ability of your organization’s technical controls to identify and block the threats before they reach end users.
Security-minded culture. Changing the culture of your organization often starts with awareness and builds through education. Employees have to feel a part of the process and understand the importance of supporting the message. Organizations should incorporate branding or a theme to define the information security awareness program. That brand or theme should be a part of all security awareness communications including emails, posters, screen savers, and information fairs. Those security-minded employees, or power users, identified through surveys could act as advocates to help convey your message effectively.
I challenge you to take a fresh look at your security awareness program and start making some changes to alter the security awareness culture at your organization. Creating a new or building a more mature security awareness program will not happen overnight, but progress can be made by taking small steps in the right direction through a defined and customized road map.
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.