Originally posted via my column with CompTIA: https://certification.comptia.org/it-career-news/post/view/2019/05/06/cybersecurity-awareness-a-critical-piece-of-the-security-puzzle
In a digitally transformed workplace, there’s a tendency to focus on next-gen malware prevention, network monitoring tools and other high-tech solutions to stave off a cyberattack. But these aren’t always the most important methods of preventing security incidents – at least not on their own. It’s the more mundane things – the rules and best practices pertaining to people and processes – that are equally critical for an overall effective cybersecurity posture. The unfortunate truth is that we, the industry, just aren’t managing these pieces of the cybersecurity puzzle that well.
The reason for this mindset is multifaceted, but to do cybersecurity right, it needs to change. Cybersecurity awareness has to be promoted and adhered to both from the top down and the bottom up and embedded into the thought process of every employee. “Security is everyone’s responsibility” is an oft-heard industry truism, but how do we take such a principle of cyber-education and create a properly functioning awareness program?
In exploring exactly what this means, we can start to imagine a framework for cybersecurity awareness that everyone can live with; one that is minimally invasive in people’s workdays and highly effective in protecting data.
Cybersecurity from the Top Down…
There are a lot of simple steps we can take throughout the day that can help drastically reduce cyber-risk. That is, in part, what cybersecurity awareness is all about – removing the low-hanging fruit.
When criminals break into houses, they’re most likely to try entering through an unlocked door first because it requires the least amount of effort. Cybercriminals, likewise, will look for the easiest route into a network, and by doing our best to block off the easy entries, we’re going a long way toward reducing the possibility of a data breach.
While the C-suite, especially those in roles geared toward business objectives, brand attributes and the like, aren’t necessarily the ones to write the rules on cybersecurity awareness, they can certainly help everyone understand just how important this is – leading by example. After all, C-suites are there to be the standard bearers of a business’s values – its thoughtfulness and integrity – and proper cybersecurity awareness is a digital extension of that.
Taking it seriously from the top down demonstrates care for employees, care for customers and care for shareholders. Of course, cybersecurity protocols also should be structured correctly so they aren’t unnecessarily intrusive or irrelevant – for the C-suite or anyone else. Every extra step a person is asked to take for cybersecurity’s sake should be built on a solid justification that everyone can understand and appreciate.
…And the Bottom Up
From the bottom up, there’s an even bigger challenge.
Anyone can make a mistake. Some phishing emails are so pointed they’ll outmaneuver the most cautious recipient. And even the most cybersecurity-minded among us has bad days where we click through on something sketchy despite knowing better. When this happens, attempting to cover it up always makes things worse. It’s how small, easily cut-off data breaches turn into long-term, costly problems.
So, what does that mean? Anyone in an organization should be empowered to do the right thing if they screw up – if they click a bad link or drop the ball elsewhere – without fear of punishment or embarrassment. Cybersecurity awareness, in this respect, is synonymous not just with integrity, but with kindness, respect and a shared desire to protect assets rather than placing blame.
And bringing all of these things together is a CompTIA-certified IT team, who can explain the “why” behind cybersecurity awareness.
IT: Cybersecurity Awareness Gurus
It might not be immediately obvious, even to people in the upper echelons of the business, why security policies need to be adhered to at all times. That’s where having a CompTIA-certified IT department that’s not just skilled, but sociable, comes into play.
Being able to understand the reasoning behind the rules and communicate in a friendly manner goes a long way. For example, someone outside IT might say this:
“Isn’t it a little ridiculous that we’re expected to have our pass on just to walk from one end of the office to the other?”
Then, an informed IT person can politely reply:
“I see where you’re coming from, but just last week there was a data breach that originated when an unescorted visitor to an office got his hands on some documents lying on a desk.”
And politeness is key. Being able to handle these kinds of friendly conversations without seeming to be talking down is a skill all its own, but a worthwhile one to have. Navigating this successfully turns IT from a department of “no” into a department of “this is why,” people are happy to work alongside that.
Embedding Cybersecurity Education
One of the ways that businesses have attempted to grapple with the always-looming, ever-growing threat of a cybersecurity incident, is with trainings. Oftentimes these take the form of rather dry lectures on best practices that people attend, then forget. Sometimes there’s a follow-up self-guided quiz that people grind through in the last 15 minutes of the day. These well-meaning attempts at cybersecurity education, unfortunately, don’t quite do the trick.
The problem is that when employees are given a checkbox to tick, yearly or quarterly, their goal is to get through it as quickly as possible then forget it and move on to actually doing the work that’s in front of them. But the threat of a data breach isn’t a yearly thing or a quarterly thing – it’s omnipresent.
Forms of cybersecurity training and education that are not just more frequent, but more concrete in how they drive the point home, are revealing themselves to be one way to improve outcomes in cybersecurity awareness adherence.
War room-style scenario acting that demonstrates the real devastation of a data breach is one way. Cybersecurity-related reminders (featuring concrete examples of what can go wrong) embedded in the signage in a building are another.
Underpinned by information, reasons and context, cybersecurity awareness no longer looks like an arbitrary set of rules people are forced to adopt. That is the path to broad acceptance.
Making Cybersecurity a Habit
When we’re talking about good cybersecurity awareness, we’re talking about staff making cybersecurity a habit.
Habits that we have in our daily lives, like brushing our teeth and showering, are so ingrained into our daily lives from an early age that forgetting to do them never enters the picture. Industry in general needs to turn cybersecurity awareness into this kind of set of habitual behaviors.
If everyone from the top to the bottom of an organization makes cybersecurity awareness a habit (with sensible, engaging and un-intrusive reminders constantly guiding them in the right direction) the easiest paths to a data breach will be closed off.
And at the center of this successfully cyber-aware workplace are CompTIA-certified IT pros, from the help desk to the C-suite. They understand why the best practices are in place, can communicate it to people throughout the organization and are always keeping an eye out for new ways to further embed teaching and training into the workday.