Information security professionals spend much of their time developing ways to prevent cyber attacks, but did you know that the majority of data breaches are caused by an employee misplacing, stealing or being tricked into handing over sensitive information?
These kinds of incidents are so prominent because organisations don’t place enough emphasis on security awareness programmes, which reduce the risk of human error and malicious insiders.
Indeed, a recent Lucy Security study found that, even though 96% of respondents agreed that cyber security awareness threats improved an organisation’s defences, comparatively few actually implemented such measures.
The researchers found that only 81% of respondents conducted phishing simulations, and only 51% had a mechanism to report suspicious emails.
These findings demonstrate that organisations’ problems aren’t to do with understanding what they must do but how to proceed. In other words, if you don’t already have a cyber security awareness programme, there is no process that enables you to perform tests such as phishing simulations.
That’s why organisations that are serious about cyber security should invest in an awareness programme that tackles your risks using a top-down approach.
By embedding a cyber security programme within your organisation, you’ll create a strong company culture and ensure that best practices are followed across the board.
This might sound like a complex endeavour, but it’s easier than it sounds – as we demonstrate in this blog, which looks at eight things you can do to get started.
1. Campaign launch
Grab employees’ attention with a memorable campaign launch that states your intention to address cyber security.
Announce it through multiple channels (such as in a meeting and by email) to make sure all your employees are aware of it and what it entails.
You don’t need to delve into specifics at this stage, but you should explain what the programme consists of and why it’s necessary.
Training courses are the backbone of any awareness programme, and e-learning is the ideal method.
It’s affordable, staff can take the course at a time that suits them and it gives you a reliable audit trail. That means you can see who has taken the course and, just as importantly, who hasn’t.
Visual reminders reinforce your company culture and serve as a continual reminder of your organisation’s commitment to information security.
A poster by itself won’t generate significant improvements, but they provide essential supplementary support. Employees see them each day, reminding them of more in-depth advice that they learned in training courses, books and your information security policies.
4. Learning nudge
Nudge theory is a type of behavioural science that prompts individual to independently make the ‘right’ decisions.
It works by replacing the traditional ‘push’ learning approach, where teachers provide answers and learners memorise them, with a ‘pull’ approach, which uses indirect suggestion and positive reinforcement.
The approach is intended to help employees rationalise why certain processes are necessary. It goes hand-in-hand with training courses (which remain the most time-effective way of imparting facts), helping employees follow effective information security habitually.
5. Awareness presentation
Presentations are an affordable and convenient option for organisations that want to control their own information messaging (as opposed to outsourcing it to a training provider), or that want to add details that are specific to their organisation.
6. Pocket guides
Nothing can replace the detail and convenience that you get from books and pocket guides. Staff can read them at their own pace, annotate them and refer to them whenever the need arises.
It’s probably too expensive to provide every employee with relevant guides, but they are ideal for managers and anyone who wants to learn more about certain topics.
7. Email signatures
As with posters, email signatures that highlight your awareness programme will give employees regular, subtle reminders of their security obligations.
8. Bespoke developments
As you develop your security awareness programme, you’ll realise that you can’t simply pick a framework and plug it into your organisation. Every organisation is unique, so you must account for your own specific requirements.
The first thing you must do is identify which information and cyber security topics apply to your organisation and build a training programme around those.
We recommend that you begin with Complete Staff Awareness E-learning Suite, which provides a cost-effective, flexible and efficient way of educating large numbers of people.
This package contains all eight of our e-learning programmes, including training courses on the GDPR, phishing and the risks associated with social media.
A version of this blog was originally published on 31 January 2019.