Cyber security G&T – Investing yourself in engagement and education

rum-653336_1280This isn’t about getting your staff drunk on tonic mixed with Hendrick’s, Bombay Sapphire or Beefeater (with or without ice and a slice); this is about putting a face to security and building knowledge and relationships through empathy and open interaction.

During a presentation at London BSides, I introduced the concept of a ‘give & take’ (a.k.a. G&T) session, while highlighting the need to improve communication with everyone in the business. The concept of security awareness is too often something for ‘them’ (indicated by a hand waved dismissively away from the technical and senior leadership teams): posters, online newsletters, mandatory computer-based doses of more or less engagingly presented rules, an ‘I’ve finished this’ compliance-friendly box ticked for staff coaxed, cajoled or disciplined into participating.

Beyond ‘Security is EVERYONE’s responsibility’ lip service

We don’t know that doesn’t work – we don’t check – but research into more general human learning and behaviour suggests it’s minimally effective. (For fun, perhaps try spotting your security awareness-raising techniques in this Science Daily article about changing unhealthy behaviours.)

People have to care, people have to retain, people have to recall and when they recall make (and keep making) a consciously secure choice – a choice that often feels awkward and frequently takes a little more effort than the insecure alternative … until it becomes a habit.

I’m arguably stating the bleeding obvious there, unless you’re solely thinking about ‘lusers’: folk at the faraway coalface who just get told about good passwords, clearing desks, care they should take with links in mails and what has to happen when they inevitably lose their pass, smartphone or laptop.

What about staff involved in change sign-off, procurement and strategic planning? Each of those have (or should have) a chunky security element, but how are those conversations and relationships at the moment? That’s what I mean when I say improving communication with everyone.

So, going back to the first thing on that ‘people have to’ list:

How do you help them to care?

A bit of give and take is a great way to start. Do you feel more inclined to help someone who has helped you? Do you feel more inclined to do so if you have built a rapport with that person based on shared understanding and interests? Do security staff often get out of the real or virtual basement (when there’s NOT an audit or incident) to talk to folk outside their usual circle of stakeholders? No? Not surprising. That’s what this kind of session might start to put right.

Ingredients for a G&T

  1. A brand: An accessible brand for security (logo, colours, strapline).
  2. A great space: Somewhere smack-bang in middle of the office, or somewhere else with great daily footfall at the time chosen.
  3. Your people: All your security staff plus some IT support bodies.
  4. An invitation to:
    • Give you their security problems: Whether that’s problems at home (e.g. safe browsing for their kids, safe browsing for them, wireless security, mobile security) or problems at work (e.g. secure email options are a blockage, password rules are a pain, security audits are stopping them getting work done).
    • Take away solutions and advice: On-the-spot secure config and fixes for devices brought along, password cracking/generating/strength-checking tools to try. Printed advice followed up with emailed links to good guidance. Noting and following up on reported issues with internal processes and tools.
  5. A takeaway: Perhaps a link to some key security guidance, plus an entry code for a quiz based on content. The prize only on offer to those who attended.
  6. Follow-ups:
    • Get the person who engaged with an individual on the day to follow up with them.
    • Shout about the winners of any prizes.
    • Include an offer to run other sessions at team meetings or away days.
    • Include a list of FAQs from the session and links to related advice.
    • Pick likely evangelists out of the attendee list and follow up to build relationships.
    • Record proactive engagements following the event (e.g. related helpdesk calls or clicks on links shared).

Of course, not everyone has the time or inclination to get involved. Senior staff (like most of us) aren’t likely to want to shout about workarounds or knowledge gaps. In the latter case, VIP G&Ts are an option. One-on-one or one-on-two (having senior staff plus their executive assistants makes sense). In the former case, perhaps a G&T OD (on demand) would be appropriate – a mini session at a time that suits.

Far more than fluffy BS

Does it sound like fluffy BS? If so, that’s a dangerous headspace to occupy. If you think improving relationships within the business, putting a face to the function and giving people a reason to care doesn’t matter, you may be in the wrong job.

Yes, a G&T event is just one very practical idea. Far from a panacea. Instead, a potential part of what probably needs to be a three-to-five-year strategy. If you are honest, you know that’s what it takes to make any appreciable cultural difference. The ultimate aim? To minimise ignorance, accident and ‘what the heck (PG version)’ insider security risks.

Of course, when the generic ‘show-and-tell’ awareness work is done, there’s more than one type of residual people risk. When security tools, processes and relationships have been broken for a while, some hearts and minds  will have a more deeply ingrained tendency to plump for perceived quick, cheap and easy. That’s as much the CXO who says JFDI to rush flawed software into production as the sales agent who reuses their work email address and password to get their grocery shopping done.

Then there’s the small subset of persistent risk. People who have a far bigger negative motivation than the positive one you can offer, which is a motivation often sought out and nurtured for some highly effective targeted social engineering. That needs yet another approach, most likely including technical behavioural analysis plus educated vigilance from staff.

In every case, activity is to complement technical monitoring and defence, not to replace it. That synergy, if properly implemented, can be more than the sum of its parts. All the moving parts of your business – flesh, blood, bytes and tin – pointing in a security-enhancing and business-objective-supporting direction…

…if you are up for the challenge.

Build-a-security-culture-Banner
Note: This blog entry was submitted by one of our guest bloggers. The author’s views are entirely her own and may not reflect the views of IT Governance.

2 Comments

  1. Rebecca Moran 7th October 2015
  2. billcaelli 9th October 2015