Don’t let a lack of staff awareness be your downfall

This is a guest post from IT Security Guru Editor, Dan Raywood.

You can spend thousands of pounds deploying the latest and greatest technology and ensure that your endpoints, perimeter and third-party partners are at the finest level of security, but the weakest link could be under your nose.

There have been many words written and surveys conducted about problem employees. Research by Kaspersky found that “providing information security training to employees” was rated as a security priority by 28 percent, while Ernst & Young found that “careless or unaware employees” was the number one vulnerability that companies face, with 38 percent of respondents saying it is their first priority.

Dealing with staff awareness

How do you deal with such an issue? A CISO I talked to this week said that in the first weeks of a recent job he spent his time working on awareness programmes as an ambassador of security for his company.

So, in that ambassadorial role, who should instruct the employee to act securely and what is the best method of training? There have been many tactics used, including posters, mouse mats and coffee mugs with subtle messages on them, but some of the better forms of awareness can be simpler in their delivery.

Security professional Thom Langford, who as part of the group Host Unknown will speak in a live IT Security Guru webcast on 26 November at 11am, said that the only way awareness training works is with small groups, as any large-scale roll out of education and awareness is “a box ticking exercise”.

“If you do it that way you do not captivate your audience at all, but if you speak to people in groups of 5-15 you get a better chance of it sticking,” he said.

“In any kind of organisation, it is virtually impossible and a challenge that will stick with us for a long time. Talking to a group of 1-20, you will be talking to them as individuals and content has a lot to do with it as you can bore one person or 2,000 people, but you have got like relevance, impact and some examples to draw on that people relate to.”

Humour is key

A key thing, Langford said, was humour. It doesn’t hurt to entertain your audience, and showing what they perceive to be ‘the IT guy’ being not only friendly, but also humorous, will resonate with them.

Posters are walked past and emails are unread and training clicked through, but people remember a presentation,” he said. “If they know you are there, they know to come and see you and that they are there for a reason.”

In his role at Barclays, Stephen Bonner led a number of successful awareness initiatives that not only produced results, but saw active interest from employees. He said: “If you address people in their own language they pay attention and respect that you have made the effort.”

Lance Spitzner, certified instructor at the SANS Institute, said that security incidents are often accidental, but he did not subscribe to the belief that this is something to be laughed off. He said that “humour can work in certain cultures and it is a great way to engage with people, but it can be a double-edged sword as different cultures work differently.”

He admitted that a tried and tested method is to use their home life as a good example, and see how they protect themselves in and out of the office. “We teach security as it helps the company, and we all use email and passwords at work, so say you were targeted at home, how protected are you? With that in mind you can get them to think about how they are at work.”

What works for some doesn’t work for others, and it really depends on factors like the culture of the business, the attitude of the management, the typical age and nature of the employee, and whether hand-outs or humour will work. If you can get some idea of what does work, then the next stage is to get the right person or material to deliver it.

You can train a great communicator to be a good IT person, but can you train a good IT person to be a great communicator?

Join IT Security Guru’s Dan Raywood for the live webcast “How not to be a failure at awareness and look good too” on Wednesday 26 November at 11am GMT, with Thom Langford, Andrew Agnes and Javvad Malik.