The why and how of effective security awareness

  • Geoffrey Schreiber
  • 5 mei 2017

Nowadays, a month doesn't go by or you hear there has been a data breach at some firm. And they are not only just some small, unknown firms, no, think LinkedIn, Dropbox, Yahoo and so forth.

Hackers get smarter and smarter, data breaches happen more and more, companies invest more and more in their IT infrastructure to keep it hacker-proof. It all just seems like a never ending story (and not one of the good types). And even with all those investments in fancy IT solutions like next-gen firewalls, state of the art encryption, you name it, hackers seem to have no trouble at all stealing your precious data. Somewhere down the line, this doesn't seem to add up...

However, one important factor hasn't been taken into the equation here:  the human factor.
Solid information security is based on 3 pillars: technology, organization and people. The latter in the line is where a lot of expensive IT investments are being nullified. Everyone knows the proverb - a chain is only as strong as its weakest link. In this case, we can consider people being the weakest link. Not all people of course, just the unaware ones, unaware of the risks they face every time they browse the internet, open a mail or click on a link.

Now that we have established the cause, we can start thinking on how we can fix this. Changing people from a state of unawareness to being fully aware of all the risks they face in the digital world seems like a challenge. If we are looking for a way to tackle this challenge, probably the best way to do this is by providing an effective security awareness program.

Security awareness provides people with the necessary carefulness towards their behavior when dealing with company or personal assets. And that is exactly what we need. This shift in behavior is the essential goal of basically any awareness program. But how do we approach this in the most effective way?

Providing a 4 hours long training with nothing more than dull slides full of technical terms will probably not do the trick. To achieve its goal, it is important that the security awareness program is understandable for all the employees and that the content actually sticks. Using real-life examples, avoiding jargon and involving the employees are just some examples of how this can be done.

Another aspect that should be taken into consideration is making sure employees actually understood everything they have learned. It should come as no surprise that quizzing them is perfect for this purpose. One of the best ways to do this is to make them think and apply the concepts and principles they just learned. It will not only make them reflect on the freshly gained knowledge, it also gives them the chance to see how some simple things can have an enormous impact on the security of their company.

Last but not least, repetition is key in learning and maintaining any skill. The same applies to security awareness.
Make sure that your employees retain their sense of awareness and try to encourage their secure behavior. This can be done in several ways. One way is to re-enroll them in a periodical awareness program. Another way of achieving this is by regularly sending infographics, newsletters or the like to remind them of what is expected of them in terms of accepted behavior.

The bottom line of all the above is that we, i.e. our company, employees, etc. are at constant risk and one way of mitigating this is by making people aware of the risks we are facing every day.