At Threat Stack, we develop security software, so it’s important to us that people have the technology they need to manage security issues in today’s business environment.
At the same time, we recognize the Human Factors. Even the best platforms are of limited value if employees don’t recognize or understand the multitude of security issues that surround them in the workplace; don’t understand security best practices; and don’t know how to respond when an incident occurs.
In previous posts, we’ve written about making every employee a security ambassador and talked about empowering them to participate in the process — but haven’t provided many specifics on how to do this.
So this post gives some practical guidance on how you can set up a Security Awareness Program in your organization. The goal is to stop treating security as a series of one-off events or activities that are handled by experts (often in reaction to incidents after they’ve taken place) and to create a proactive, pervasive culture where employees can recognize security risks and then take action on their own or escalate as appropriate.
The four “human factors” steps that we recommend are outlined below:
1. Create a Security “Handbook”
The goal is to create a body of information that employees know about and actually consult when they need information about a security issue. If you do it right, you’ll end up with a go-to reference that answers commonly asked questions and contains security-related standards, policies, and procedures.
Don’t wait until you have a “complete” guide before making it available, or you’ll never release anything. Start with what you have and add information as you go along. You can encourage employees to contribute material (as long as there’s a means to review and approve content for accuracy and appropriateness).
We recommend that you publish as an ebook or a wiki because these forms are much easier to update than a paper-based guide. If you decide on a wiki, it’s also easy for employees to submit content. Key to making the “handbook” accessible is building in good navigation and usability aids, with topic associations, links, and a thorough index.
The core content should include:
- FAQs: Provide information about the most important and most common security issues with links to detailed discussions.
- Best Practices for everyday activities: Include policies and / or best practices on topics such as passwords, software downloads and installs, use of personal devices, etc.
For example, if an employee is wondering how to go about downloading and installing a new piece of software, tell them how to make sure it’s a legitimate download, who to ask permission from if needed, and how to make sure that it’s set up properly on the network.
- Key Contacts: Include names and means of contacting members of your Critical Incident Response Team (CIRT), as well as guidance on when to contact (i.e., distinguish between critical and non-critical issues)
- Security-Related Policies and Procedures
2. Set Up Real-Time Communication Channels
The “handbook” is an evolving body of reference information, but you also need two-way tools such as Slack or HipChat so you can communicate in real time. We recommend setting up two channels: one for putting employees in touch with the people who can quickly answer security-related questions; and another dedicated to more urgent security issues that need to be escalated.
3. Hold In-Person Information Sessions
An employee “handbook” and communication channels are key parts of your Security Awareness infrastructure, but you need more dynamic and engaging ways of bringing important issues to your employees.
The average employee doesn’t want to sit through lectures on information security, but in-person, participatory sessions are a great way of sharing information and and building up communication and trust. At our company, we hold a weekly Lunch & Learn. They’re always heavily attended — partly because we offer a free lunch — but mostly, we believe, because of the value of the information that’s shared among the presenters and the attendees.
We cover a range of subjects, including the Human Factors that we mentioned at the beginning of this post. As appropriate, we hold blameless security post-mortems, which are a great way to talk about real-world security issues without putting anyone on the defensive.
You can also include a post-mortem about items in the news, talking through the way your organization would hypothetically handle the situation step-by-step. It might even help to run through a mock scenario to demonstrate this. The more real and engaging you can make it, the more likely your people will learn the lessons and apply them to their work.
The real value of these “in the round” information sessions is that they create a culture of open communication. Employees should never be afraid to approach the security team with questions, concerns, or mishaps. The more they know, the more observant they will be, and the better prepared they will be to either prevent security incidents or to respond when they do occur.
4. Create a Security Awareness Week
There’s a tendency for security — or anything else — to disappear into the background if you don’t make a conscious effort to bring it to life. So pull security out of the shadows and raise awareness throughout your company by establishing a company-wide Security Awareness Week.
During this week, you could send out daily tips that include helpful and actionable information (e.g., don’t store your passwords in Dropbox; always use the company VPN, etc.), and point out new trends in cybercrime, like the recent increase in ransomware. Talk about phishing emails, social engineering scams, why 2-factor authentication matters, and other relevant security issues.
Finally, hold a Security Q&A Reception — aka a party! — where employees bring their questions for the security team and get unbiased, nonjudgmental answers. This will help build the open culture that we talked about earlier.
OK. You get the idea. Make security a topic of conversation. Use your imagination, make it face to face, and make it fun.
Your organization is only as secure as its weakest employee, so security education matters. By creating a Security Awareness Program, you can lay down a great foundation for ongoing learning and communication without overburdening your employees with too much information. And if security becomes a part of everyone’s mindset, it’s reasonable to expect that your organization’s security posture will become stronger.
Make it as easy as possible for people to carry out their jobs securely, and leave the door open for questions and concerns. There’s no need to leave your organization vulnerable to the “I didn’t know better” insider threat. You have plenty of threats to worry about without counting your employees among them.
Finally, make sure the Awareness Program touches all points of your culture and all steps in the employee lifecycle, from onboarding to exit.